CVE-2024-35191

low-risk

Published 2024-05-20

Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.

Do I need to act?

0.22% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.4/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Formie

Affected Vendors

Verbb

References (4)

Patch https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420

Vendor Advisory https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5

Patch https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420

Vendor Advisory https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal