4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-35621

GHSA ID

GHSA-gx8m-f3mp-fg99

EPSS Score

0.34577%

CWE

CWE-79

Published

5/28/2024

Updated

6/10/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-35621

CVE-2024-35621:
formwork Cross-site scripting vulnerability in Markdown fields

Impact

Users with access to the administration panel with page editing permissions could insert <script> tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.

Patches

Formwork 1.13.0 has been released with a patch that solves this vulnerability. Now the system config option content.safe_mode (enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities.
Formwork 2.x (6adc302) adds a similar content.safeMode system option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however, <script> and other dangerous tags are still converted to text, but secure tags are allowed.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35621

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-35621

GHSA ID

GHSA-gx8m-f3mp-fg99

EPSS Score

0.34577%

CWE

CWE-79

Published

5/28/2024

Updated

6/10/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getformwork/formwork	composer	< 1.13.0	1.13.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped HTML in Markdown processing. The key patch adds safe_mode enforcement in ParsedownExtra's constructor via setSafeMode(). In vulnerable versions (<1.13.0), this safety mechanism was missing, leaving the text() method (which converts Markdown to HTML) vulnerable to XSS. The text() method is the primary HTML generation point where script tags would be rendered without proper neutralization when safe mode isn't active.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs wit* ****ss to t** **ministr*tion p*n*l wit* p*** **itin* p*rmissions *oul* ins*rt `<s*ript>` t**s in m*rk*own *i*l*s, w*i** *r* *xpos** on t** pu*li*ly ****ssi*l* sit* p***s, l***in* to pot*nti*l XSS inj**tions. ### P*t***s - [***

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *TML in M*rk*own pro**ssin*. T** k*y p*t** ***s s***_mo** *n*or**m*nt in `P*rs**own*xtr*`'s *onstru*tor vi* `s*tS***Mo**()`. In vuln*r**l* v*rsions (<*.**.*), t*is s***ty m****nism w*s missin*, l**vin* t** `t*xt

4.8

Basic Information

Concerned about an active attack path?

CVE-2024-35621: formwork Cross-site scripting vulnerability in Markdown fields

Impact

Patches

References

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-35621:
formwork Cross-site scripting vulnerability in Markdown fields

Vulnerability Intelligence
Miggo AI