CVE-2024-35191
📋 TL;DR
This vulnerability allows authenticated users with form settings access to inject malicious Twig code into form fields like Submission Title or Success Message. The code executes when submissions are created or messages are rendered, potentially leading to server-side template injection. Affects Formie plugin users on Craft CMS with insufficient input validation.
💻 Affected Systems
- Formie Craft CMS Plugin
📦 What is this software?
Formie by Verbb
Formie by Verbb
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker executes arbitrary server-side code, potentially leading to full system compromise, data theft, or complete site takeover.
Likely Case
Privileged user exploits the vulnerability to execute limited server-side commands, potentially accessing sensitive data or modifying site content.
If Mitigated
With proper access controls and input validation, impact is limited to authorized users misusing their legitimate permissions.
🎯 Exploit Status
Exploitation requires authenticated access to form settings; no public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.6
Vendor Advisory: https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5
Restart Required: No
Instructions:
1. Update Formie plugin to version 2.1.6 or later via Craft CMS control panel or Composer. 2. Verify update completes successfully. 3. Test form functionality.
🔧 Temporary Workarounds
Restrict Form Settings Access
allLimit user permissions to only trusted administrators for form configuration.
Input Validation
allImplement custom validation to sanitize Twig code in form fields.
🧯 If You Can't Patch
- Immediately restrict form settings access to minimal trusted users only.
- Monitor logs for suspicious Twig code execution attempts in form submissions.
🔍 How to Verify
Check if Vulnerable:
Check Formie plugin version in Craft CMS admin panel under Settings → Plugins.Check Version:
php craft formie/versionVerify Fix Applied:
Confirm Formie version is 2.1.6 or higher in plugin settings.📡 Detection & Monitoring
Log Indicators:
- Unusual Twig code execution in form submission logs
- Multiple failed form submission attempts with code snippets
Network Indicators:
- Unexpected server responses from form submission endpoints
SIEM Query:
source="craft_logs" AND (message="*Twig*" OR message="*formie*" AND severity="ERROR")🔗 References
- https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420
- https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5
- https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420
- https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5
