CVE-2024-37160 - Vulnerability Details - OpenCVE

Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Formwork Project	Formwork

Configuration 1 [-]

cpe:2.3:a:formwork_project:formwork:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b
https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5
https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00095}`	epss `{'score': 0.00391}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-07T14:09:55.132Z

Updated: 2024-08-02T03:50:55.370Z

Reserved: 2024-06-03T17:29:38.329Z

Link: CVE-2024-37160

Vulnrichment

Updated: 2024-08-02T03:50:55.370Z

NVD

Status : Modified

Published: 2024-06-07T14:15:10.440

Modified: 2024-11-21T09:23:19.910

Link: CVE-2024-37160

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37160", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-03T17:29:38.329Z", "datePublished": "2024-06-07T14:09:55.132Z", "dateUpdated": "2024-08-02T03:50:55.370Z"}, "containers": {"cna": {"title": "Formwork has a Cross-site scripting (XSS) vulnerability in Description metadata", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"}, {"name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "tags": ["x_refsource_MISC"], "url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"}, {"name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "tags": ["x_refsource_MISC"], "url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"}], "affected": [{"vendor": "getformwork", "product": "formwork", "versions": [{"version": "< 1.13.1", "status": "affected"}, {"version": "= 2.0.0-beta.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-07T14:09:55.132Z"}, "descriptions": [{"lang": "en", "value": "Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1."}], "source": {"advisory": "GHSA-5pxr-7m4j-jjc6", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "getformwork", "product": "formwork", "cpes": ["cpe:2.3:a:getformwork:formwork:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.13.1", "versionType": "custom"}, {"version": "2.0.0-beta.1", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-07T16:41:21.309222Z", "id": "CVE-2024-37160", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T17:03:41.148Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:55.370Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"}, {"name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"}, {"name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:55.370Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37160", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-07T16:41:21.309222Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:getformwork:formwork:*:*:*:*:*:*:*:*"], "vendor": "getformwork", "product": "formwork", "versions": [{"status": "affected", "version": "0", "lessThan": "1.13.1", "versionType": "custom"}, {"status": "affected", "version": "2.0.0-beta.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T17:02:34.523Z"}}], "cna": {"title": "Formwork has a Cross-site scripting (XSS) vulnerability in Description metadata", "source": {"advisory": "GHSA-5pxr-7m4j-jjc6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "getformwork", "product": "formwork", "versions": [{"status": "affected", "version": "< 1.13.1"}, {"status": "affected", "version": "= 2.0.0-beta.1"}]}], "references": [{"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-07T14:09:55.132Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37160", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:50:55.370Z", "dateReserved": "2024-06-03T17:29:38.329Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-07T14:09:55.132Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:formwork_project:formwork:*:*:*:*:*:*:*:*", "matchCriteriaId": "5622884E-5303-4F87-BDDF-4390642B3841", "versionEndExcluding": "1.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1."}, {"lang": "es", "value": "Formwork es un sistema de gesti\u00f3n de contenidos (CMS) basado en archivos planos. Un atacante (requiere privilegios de administrador) puede ejecutar scripts web arbitrarios modificando las opciones del sitio a trav\u00e9s de /panel/options/site. Este tipo de ataque es adecuado para la persistencia y afecta a los visitantes de todas las p\u00e1ginas (excepto el panel de control). Esta vulnerabilidad se solucion\u00f3 en 1.13.1."}], "id": "CVE-2024-37160", "lastModified": "2024-11-21T09:23:19.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-07T14:15:10.440", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}