Name of the Vulnerable Software and Affected Versions Formwork versions prior to 2.x

Description The issue arises from improper validation of select fields, allowing attackers to craft an input that crashes the system. This impacts the Availability aspect of the CIA triad, although the attack has certain limitations. The attack involves injecting an invalid user role value into the Role=User parameter in the "/panel/users/{name}/profile" page, which is the user profile update page. This can change the user's data in a way that prevents users and then the entire site from loading. The error is unrecoverable until a valid role parameter is restored by direct modification of the user account file. The condition for this attack is having high privileges or Admin access, which means it could be exploited by an Insider Threat. Alternatively, if an attacker gains access to a privileged user account, they can execute the attack as well. The attack is relatively difficult to carry out, but if successful, the impact and damage would be significant.

Recommendations For Formwork versions prior to 2.x, update to version 2.x, which adds proper validation to select fields. As a temporary workaround, consider restricting access to the "/panel/users/{name}/profile" page to minimize the risk of exploitation. Avoid using the Role=User parameter in the affected page until the issue is resolved.