CVE-2024-37160 - Vulnerability Details - OpenCVE

Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00617.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

getformwork

formwork

affected

Version	Status	Constraints
`< 1.13.1`	affected	—
`= 2.0.0-beta.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:formwork_project:formwork:*:*:*:*:*:*:*:*

No data.

No data.

Project Subscriptions

Vendors	Products
Formwork Project Subscribe	Formwork Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2024-1933	Cross-site scripting (XSS) vulnerability in Description metadata
Github GHSA	GHSA-5pxr-7m4j-jjc6	Cross-site scripting (XSS) vulnerability in Description metadata

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b
https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5
https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00095}`	epss `{'score': 0.00391}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-07T14:09:55.132Z

Updated: 2024-08-02T03:50:55.370Z

Reserved: 2024-06-03T17:29:38.329Z

Link: CVE-2024-37160

Vulnrichment

Updated: 2024-08-02T03:50:55.370Z

NVD

Status : Modified

Published: 2024-06-07T14:15:10.440

Modified: 2024-11-21T09:23:19.910

Link: CVE-2024-37160

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37160", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-03T17:29:38.329Z", "datePublished": "2024-06-07T14:09:55.132Z", "dateUpdated": "2024-08-02T03:50:55.370Z"}, "containers": {"cna": {"title": "Formwork has a Cross-site scripting (XSS) vulnerability in Description metadata", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"}, {"name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "tags": ["x_refsource_MISC"], "url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"}, {"name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "tags": ["x_refsource_MISC"], "url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"}], "affected": [{"vendor": "getformwork", "product": "formwork", "versions": [{"version": "< 1.13.1", "status": "affected"}, {"version": "= 2.0.0-beta.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-07T14:09:55.132Z"}, "descriptions": [{"lang": "en", "value": "Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1."}], "source": {"advisory": "GHSA-5pxr-7m4j-jjc6", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "getformwork", "product": "formwork", "cpes": ["cpe:2.3:a:getformwork:formwork:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.13.1", "versionType": "custom"}, {"version": "2.0.0-beta.1", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-07T16:41:21.309222Z", "id": "CVE-2024-37160", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T17:03:41.148Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:55.370Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"}, {"name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"}, {"name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:55.370Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37160", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-07T16:41:21.309222Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:getformwork:formwork:*:*:*:*:*:*:*:*"], "vendor": "getformwork", "product": "formwork", "versions": [{"status": "affected", "version": "0", "lessThan": "1.13.1", "versionType": "custom"}, {"status": "affected", "version": "2.0.0-beta.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T17:02:34.523Z"}}], "cna": {"title": "Formwork has a Cross-site scripting (XSS) vulnerability in Description metadata", "source": {"advisory": "GHSA-5pxr-7m4j-jjc6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "getformwork", "product": "formwork", "versions": [{"status": "affected", "version": "< 1.13.1"}, {"status": "affected", "version": "= 2.0.0-beta.1"}]}], "references": [{"url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "name": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "name": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "name": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-07T14:09:55.132Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37160", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:50:55.370Z", "dateReserved": "2024-06-03T17:29:38.329Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-07T14:09:55.132Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:formwork_project:formwork:*:*:*:*:*:*:*:*", "matchCriteriaId": "5622884E-5303-4F87-BDDF-4390642B3841", "versionEndExcluding": "1.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1."}, {"lang": "es", "value": "Formwork es un sistema de gesti\u00f3n de contenidos (CMS) basado en archivos planos. Un atacante (requiere privilegios de administrador) puede ejecutar scripts web arbitrarios modificando las opciones del sitio a trav\u00e9s de /panel/options/site. Este tipo de ataque es adecuado para la persistencia y afecta a los visitantes de todas las p\u00e1ginas (excepto el panel de control). Esta vulnerabilidad se solucion\u00f3 en 1.13.1."}], "id": "CVE-2024-37160", "lastModified": "2024-11-21T09:23:19.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-07T14:15:10.440", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}