Login Sign Up

CVE-2020-28246

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a Server-Side Template Injection vulnerability in Form.io version 2.0.0 that allows remote code execution when deleting the default email template URL. The vulnerability affects systems running Form.io 2.0.0 with email templating enabled. The vendor disputes the severity, claiming the feature is sandboxed and only accessible to administrators.

💻 Affected Systems

Products:
  • Form.io
Versions: 2.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Email templating service was removed after 2020. The vulnerability requires administrative access according to vendor.

📦 What is this software?

Form.io by Form

View all CVEs affecting Form.io →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the server, allowing data theft, lateral movement, and persistent access.

🟠

Likely Case

Administrative account compromise leading to unauthorized access to form data, configuration changes, and potential data exfiltration.

🟢

If Mitigated

Limited impact due to proper access controls and monitoring, with only authorized administrative actions being possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires administrative access to the email template deletion functionality. No public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.0.0

Vendor Advisory: https://github.com/formio/enterprise-release/blob/master/API-Server-Change-Log.md

Restart Required: Yes

Instructions:

1. Upgrade Form.io to version after 2.0.0. 2. Remove email templating feature entirely. 3. Restart the application server.

🔧 Temporary Workarounds

Disable Email Templating

all

Completely disable the email templating feature to remove the attack surface

Modify configuration to disable email template functionality

Restrict Administrative Access

all

Implement strict access controls to limit who can access template management functions

Configure role-based access control to restrict template operations to minimum necessary users

🧯 If You Can't Patch

  • Implement network segmentation to isolate Form.io servers from critical systems
  • Enable detailed logging and monitoring of all template-related operations

🔍 How to Verify

Check if Vulnerable:

Check if running Form.io version 2.0.0 with email templating enabled

Check Version:

Check package.json or application configuration for Form.io version

Verify Fix Applied:

Verify Form.io version is after 2.0.0 and email templating is disabled

📡 Detection & Monitoring

Log Indicators:

  • Unusual template deletion operations
  • Multiple failed template access attempts
  • Administrative actions from unexpected IP addresses

Network Indicators:

  • Unusual outbound connections from Form.io server
  • HTTP requests to template deletion endpoints

SIEM Query:

source="formio" AND (event="template_delete" OR event="email_template")

📊 Metadata

CVE ID: CVE-2020-28246
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
Published: June 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28246, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)