CVE-2024-35191
MEDIUMFormie < 2.0.44 and 2.1.0-2.1.5 - Authenticated Server-Side Template Injection via Submission Title or Success Message
Title source: llmDescription
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5
Patch x_refsource_misc
https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420
Scores
CVSS v3
4.4
EPSS
0.0025
EPSS Percentile
16.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1336
Status
published
Products (2)
verbb/formie
< 2.0.44
verbb/formie
0 - 2.1.6Packagist
Published
May 20, 2024
Tracked Since
Feb 18, 2026