Code Injection Vulnerability in Craft CMS Plugin Formie
CVE-2024-35191

4.4MEDIUM

Key Information:

Vendor: Verbb
Status: Formie
Vendor: CVE Published:; 20 May 2024

What is CVE-2024-35191?

The Formie plugin for Craft CMS includes a critical vulnerability that allows users with access to form settings to insert malicious Twig code into designated fields, such as the Submission Title or the Success Message. This unchecked input can lead to arbitrary code execution when submissions are created or displayed. To mitigate this risk, users are strongly advised to update to Formie version 2.1.6 or later, where the vulnerability has been successfully resolved. Ensuring that your systems are up-to-date is essential to safeguarding against potential exploits.

Affected Version(s)

formie < 2.1.6

References

https://github.com/verbb/formie/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/verbb/formie/commit/90296edf7e707f117e...

x_refsource_MISC

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2024

CVE-2024-35191 Data

JSON

Verbb

What is CVE-2024-35191?

Affected Version(s)

References

CVSS V3.1

Timeline