Miggo Logo
Miggo Vulnerability Database
CVE-2024-35191

CVE-2024-35191: verbb/formie Server-Side Template Injection for variable-enabled settings

4.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-35191
GHSA ID
GHSA-v45m-hxqp-fwf5
EPSS Score
0.21869%
CWE
CWE-1336
Published
5/20/2024
Updated
5/20/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
verbb/formiecomposer< 2.1.62.1.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis focused on functions directly related to rendering user input and processing form values. The patches indicate a shift towards safer rendering practices, primarily through the use of Formie::$plugin->getTemplates()->renderObjectTemplate() and renderString(). Functions that were using potentially vulnerable rendering methods or processing user input in a manner that could be exploited are highlighted.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs wit* ****ss to * *orm's s*ttin*s **n in*lu** m*li*ious Twi* *o** into *i*l*s t**t support Twi*. T**s* mi**t ** t** Su*mission Titl* or t** Su***ss M*ss***. T*is *o** will t**n ** *x**ut** upon *r**tin* * su*mission, or r*n**rin* t**

Reasoning

T** *n*lysis *o*us** on *un*tions *ir**tly r*l*t** to r*n**rin* us*r input *n* pro**ssin* *orm v*lu*s. T** p*t***s in*i**t* * s*i*t tow*r*s s***r r*n**rin* pr**ti**s, prim*rily t*rou** t** us* o* `*ormi*::$plu*in->**tT*mpl*t*s()->r*n**rO*j**tT*mpl*t*