Name of the Vulnerable Software and Affected Versions: Form Framework (system extension "form") (affected versions not specified)

Description: The issue arises from the failure to properly separate system-related configuration from user-generated configuration, leading to SQL injection and Privilege Escalation risks. An attacker can persist instructions to a form definition file that were not intended to be modified, affecting both form editor module-managed definitions and those uploaded directly via the file list module. Exploitation requires a valid backend user account and the system extension "form" to be activated.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.