CVE-2020-11056
HIGHSprout Forms < 3.9.0 - Server-Side Template Injection via Notification Email Custom Fields
Title source: llmDescription
In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/barrelstrength/craft-sprout-forms/security/advisories/GHSA-px8v-hxxx-2rgh
Release Notes x_refsource_misc
https://github.com/barrelstrength/craft-sprout-forms/blob/v3/CHANGELOG.md#390---2020-04-09-critical
Scores
CVSS v3
7.4
EPSS
0.0103
EPSS Percentile
59.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Details
CWE
CWE-74
CWE-94
Status
published
Products (3)
barrelstrength/sprout-base-email
0 - 1.2.7Packagist
barrelstrength/sprout-forms
0 - 3.9.0Packagist
barrelstrengthdesign/sprout_forms
< 3.9.0
Published
May 07, 2020
Tracked Since
Feb 18, 2026