CVE-2023-24230
published 2023-02-10CVE-2023-24230: A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork v1.12.1 allows attackers to execute arbitrary web…
PriorityP418medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.54%
41.5th percentile
A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| formwork_project | formwork | — | — |
| getformwork | formwork | >= 0 < 1.13.0 | 1.13.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Formwork Cross-site Scripting (XSS) from Page title field
ghsa·2023-02-10
CVE-2023-24230 [MEDIUM] CWE-79 Formwork Cross-site Scripting (XSS) from Page title field
Formwork Cross-site Scripting (XSS) from Page title field
### Description
A stored cross-site scripting (XSS) vulnerability in Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title field.
Only users with access to Administration Panel with page editing permission can inject raw HTML in the Page title field.
### Patched versions
This vulnerability has been patched in [Formwork 1.13.0](https://github.com/getformwork/formwork/releases/tag/1.13.0).
OSV
Formwork Cross-site Scripting (XSS) from Page title field
osv·2023-02-10
CVE-2023-24230 [MEDIUM] Formwork Cross-site Scripting (XSS) from Page title field
Formwork Cross-site Scripting (XSS) from Page title field
### Description
A stored cross-site scripting (XSS) vulnerability in Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title field.
Only users with access to Administration Panel with page editing permission can inject raw HTML in the Page title field.
### Patched versions
This vulnerability has been patched in [Formwork 1.13.0](https://github.com/getformwork/formwork/releases/tag/1.13.0).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/getformwork/formwork/releases/tag/1.12.1https://medium.com/%400x2bit/formwork-1-12-1-stored-xss-vulnerability-at-page-title-b6efba27891ahttps://github.com/getformwork/formwork/releases/tag/1.12.1https://medium.com/%400x2bit/formwork-1-12-1-stored-xss-vulnerability-at-page-title-b6efba27891a
2023-02-10
Published