CVE-2024-35191: verbb/formie Server-Side Template Injection for variable-enabled settings
4.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.21869%
CWE
Published
5/20/2024
Updated
5/20/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| verbb/formie | composer | < 2.1.6 | 2.1.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The analysis focused on functions directly related to rendering user input and processing form values. The patches indicate a shift towards safer rendering practices, primarily through the use of Formie::$plugin->getTemplates()->renderObjectTemplate() and renderString(). Functions that were using potentially vulnerable rendering methods or processing user input in a manner that could be exploited are highlighted.