CVE-2023-33971: Formcreator vulnerable to stored XSS from ##FULLFORM##
First published: Wed May 31 2023(Updated: )
Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of `##FULLFORM##` for rendering. This could result in arbitrary javascript code execution in an admin/tech context. A patch is unavailable as of time of publication. As a workaround, one may use a regular expression to remove `< > "` in all fields.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Teclib-edition Form Creator | =2.13.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2023-33971?
CVE-2023-33971 is a probable stored cross-site scripting vulnerability in Formcreator 2.13.5 and prior versions.
What is Formcreator?
Formcreator is a GLPI plugin that allows the creation of custom forms and the creation of tickets when the form is filled.
How does the vulnerability in Formcreator occur?
The vulnerability occurs through the use of `##FULLFORM##` for rendering.
What is the severity of CVE-2023-33971?
The severity of CVE-2023-33971 is medium with a CVSS severity score of 5.4.
How can I fix the vulnerability in Formcreator?
To fix the vulnerability, update Formcreator to version 2.13.6 or later.
- collector/nvd-latest
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/source
- vendor/teclib-edition
- canonical/teclib-edition form creator
- version/teclib-edition form creator/2.13.5