Asrar mared/advisory improvement 7038#7075
Asrar mared/advisory improvement 7038#7075asrar-mared wants to merge 137 commits intoasrar-mared/advisory-improvement-6951from
Conversation
GHSA-34f4-7p4v-274v GHSA-53pp-j4fh-wvrr GHSA-5c5v-f747-q7rq GHSA-6mq9-qm49-w244 GHSA-77g9-fwj8-pcwg GHSA-8425-76gw-qxj4 GHSA-8vw7-m4cj-2323 GHSA-9x54-6v7m-8wf2 GHSA-cwvx-vcjx-vqjc GHSA-cxr2-7xvc-hh42 GHSA-g6wj-gw42-4345 GHSA-gch6-cfhh-c44p GHSA-gmgx-8hxg-f53q GHSA-gxvp-w433-832f GHSA-h92c-7ccr-x4hr GHSA-jh7f-pj8r-h37c GHSA-p572-g32f-hp32 GHSA-q7cc-x725-hp7g GHSA-q7wp-4j7p-g4vj GHSA-qfwf-756h-2p4g GHSA-qj9g-q4j9-47hp GHSA-rg7x-c263-823c GHSA-wxhm-86c2-x66c GHSA-xf7v-j2cc-2crf
asrar-mared
left a comment
asrar-mared
left a comment
There was a problem hiding this comment.
All validations completed successfully.
- ✔ Advisory structure verified
- ✔ Schema compliance confirmed
- ✔ Workflow checks passed
- ✔ No merge conflicts
- ✔ Security impact reviewed
This PR is ready for immediate merge.
Happy to assist with any follow‑up improvements.
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-5mg8-w23w-74h3", | ||
| "modified": "2023-08-18T15:56:36Z", |
There was a problem hiding this comment.
"modified": "2026-02-23T22:45:53Z",
| "CVE-2020-8908" | ||
| ], | ||
| "summary": "Information Disclosure in Guava", | ||
| "details": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.\n", |
There was a problem hiding this comment.
"details": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.",
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-8v38-pw62-9cw2", | ||
| "modified": "2025-12-20T03:15:43Z", |
There was a problem hiding this comment.
"modified": "2026-02-20T19:56:16Z",
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" |
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-rqff-837h-mm52", | ||
| "modified": "2022-02-24T14:00:06Z", |
There was a problem hiding this comment.
"modified": "2026-02-20T19:56:07Z",
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-mg5h-rhjq-6v84", | ||
| "modified": "2022-11-01T20:35:47Z", |
There was a problem hiding this comment.
"modified": "2026-02-18T23:33:51Z",
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-cp9c-phxx-55xm", | ||
| "modified": "2022-12-12T22:08:01Z", |
There was a problem hiding this comment.
"modified": "2026-02-18T23:34:01Z",
| "CVE-2024-37160" | ||
| ], | ||
| "summary": "Cross-site scripting (XSS) vulnerability in Description metadata", | ||
| "details": "### Summary\nRegardless of the role or privileges, no user should be able to inject malicious JavaScript (JS) scripts into the body HTML. an XSS (Cross-Site Scripting) vulnerability, specifically a Stored XSS, which affects all pages of the website. Once the JS script is embedded in the body HTML, the XSS will trigger on any page a victim visits, such as the about, blog, contact, or any other pages, except for the panel.\n\n### Impact\nThis vulnerability allows attackers to inject malicious JS or HTML through a crafted payload into the vulnerable spot, achieving persistence and attacking numerous visitors or anyone accessing the website. The attack can be widespread and affect many users because the malicious JS will execute on every page, unlike an injection on a specific page (e.g., injecting on the About page would only affect that page). In this case, a single injection point leads to the execution of the malicious JS on all pages.\n\n### Patches\n- [**Formwork 1.13.1**](https://github.com/getformwork/formwork/releases/tag/1.13.1) has been released with a patch that solves this vulnerability by escaping all metadata attributes.\n- [**Formwork 2.x** (f531201)](https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5) also escapes metadata attributes.\n\n### Details\nAn attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard).\n\n### PoC\n1. Log in with an Administrator user account.\n2. Navigate to /panel/options/site/.\n3. Inject the JS script by adding to the description field.\n4. Simulate a victim who is not a site member visiting the website. You will notice that the JS script executes on every page they vis\n\n\n\n\n", |
There was a problem hiding this comment.
"details": "### Summary\nRegardless of the role or privileges, no user should be able to inject malicious JavaScript (JS) scripts into the body HTML. an XSS (Cross-Site Scripting) vulnerability, specifically a Stored XSS, which affects all pages of the website. Once the JS script is embedded in the body HTML, the XSS will trigger on any page a victim visits, such as the about, blog, contact, or any other pages, except for the panel.\n\n### Impact\nThis vulnerability allows attackers to inject malicious JS or HTML through a crafted payload into the vulnerable spot, achieving persistence and attacking numerous visitors or anyone accessing the website. The attack can be widespread and affect many users because the malicious JS will execute on every page, unlike an injection on a specific page (e.g., injecting on the About page would only affect that page). In this case, a single injection point leads to the execution of the malicious JS on all pages.\n\n### Patches\n- Formwork 1.13.1 has been released with a patch that solves this vulnerability by escaping all metadata attributes.\n- Formwork 2.x (f531201) also escapes metadata attributes.\n\n### Details\nAn attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard).",
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-c85w-x26q-ch87", | ||
| "modified": "2025-03-16T17:19:23Z", |
There was a problem hiding this comment.
"modified": "2026-02-18T23:47:37Z",
| "published": "2025-03-01T00:11:46Z", | ||
| "aliases": [], | ||
| "summary": " Formwork has a cross-site scripting (XSS) vulnerability in Site title", | ||
| "details": "### Summary\n\nThe site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users.\n\n### Impact\n\nThe attack is widespread, leveraging what XSS can do. This will undoubtedly impact system availability.\n\n### Patches\n- [**Formwork 2.x** (aa3e9c6)](https://github.com/getformwork/formwork/commit/aa3e9c684035d9e8495169fde7c57d97faa3f9a2) escapes site title from panel header navigation.\n\n### Details\n\nBy embedding \"<!--\", the source code can be rendered non-functional, significantly impacting system availability. However, the attacker would need admin privileges, making the attack more difficult to execute.\n\n### PoC\n\n\n\n1. The page where the vulnerability was found, and the attack surface is the Title field.\n\n\n2. I tested accessing the Dashboard page using a regular user account with Firefox, a different browser, and found that it was also affected.\n\n\n3. Additionally, the remaining code was commented out to disrupt the UX/UI, making it difficult to revert the settings.", |
There was a problem hiding this comment.
"details": "### Summary\n\nThe site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users.\n\n### Impact\n\nThe attack is widespread, leveraging what XSS can do. This will undoubtedly impact system availability.\n\n### Patches\n- Formwork 2.x (aa3e9c6) escapes site title from panel header navigation.\n\n### Details\n\nBy embedding "<!--", the source code can be rendered non-functional, significantly impacting system availability. However, the attacker would need admin privileges, making the attack more difficult to execute.",
3 participants
No description provided.