Miggo Logo
Miggo Vulnerability Database
CVE-2025-32427

CVE-2025-32427: Formie has XSS vulnerability for importing forms

5.3

CVSS Score
4.0

Basic Information

CVE ID
CVE-2025-32427
GHSA ID
GHSA-p9hh-mh5x-wvx3
EPSS Score
0.22174%
CWE
CWE-79
Published
4/11/2025
Updated
4/11/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
verbb/formiecomposer<= 2.1.432.1.44

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description states that when importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview. The provided commit a64072709e17637c5d2972577030bf9d9981420d directly addresses this. The changes in src/controllers/ImportExportController.php within the actionImportConfigure method show that Html::encode was added to the $field['label'] and $field['handle'] before they are outputted using $this->stdout. This clearly indicates that the actionImportConfigure method was the point where the unescaped data was being handled and outputted, making it the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n importin* * *orm *rom JSON, i* t** *i*l* l***l or **n*l* *ont*in** m*li*ious *ont*nt, t** output w*sn't *orr**tly *s**p** w**n vi*win* * pr*vi*w o* w**t w*s to ** import**. *s imports *r* un**rt*kin* prim*rily *y us*rs w*o **v* t**ms

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t w**n importin* * *orm *rom JSON, i* t** *i*l* l***l or **n*l* *ont*in** m*li*ious *ont*nt, t** output w*sn't *orr**tly *s**p** w**n vi*win* * pr*vi*w. T** provi*** *ommit `************************************