CVE-2023-24230: Formwork Cross-site Scripting (XSS) from Page title field

February 10, 2023 (updated May 28, 2024)

A stored cross-site scripting (XSS) vulnerability in Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title field.

Only users with access to Administration Panel with page editing permission can inject raw HTML in the Page title field.

References

github.com/advisories/GHSA-fvrh-wrpf-6q7h
github.com/getformwork/formwork
github.com/getformwork/formwork/commit/8781ee17ca9b9b7b0b57e090e7f2ba1b27dc1415
medium.com/@0x2bit/formwork-1-12-1-stored-xss-vulnerability-at-page-title-b6efba27891a
nvd.nist.gov/vuln/detail/CVE-2023-24230

Code Behaviors & Features

Detect and mitigate CVE-2023-24230 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →