Formcreator vulnerable to stored XSS from ##FULLFORM##
CVE-2023-33971

5.4MEDIUM

Key Information:

Vendor: pluginsGLPI
Status: formcreator
Vendor: CVE Published:; 31 May 2023

🔔 Create pluginsGLPI Vulnerability Alert

What is CVE-2023-33971?

Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of ##FULLFORM## for rendering. This could result in arbitrary javascript code execution in an admin/tech context. A patch is unavailable as of time of publication. As a workaround, one may use a regular expression to remove < > " in all fields.

Affected Version(s)

formcreator <= 2.13.5

References

https://github.com/pluginsGLPI/formcreator/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 31, 2023
Vulnerability Reserved
May 24, 2023

JSON