Freeform
Monthly
Stored XSS in Solspace Freeform for Craft CMS 5.x allows authenticated users with form creation privileges to inject malicious JavaScript into form labels and integration metadata, which executes in the Control Panel when administrators view the builder or integrations. Public exploit code exists for this vulnerability. The vulnerability is resolved in version 5.14.7.
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stored XSS in Solspace Freeform for Craft CMS 5.x allows authenticated users with form creation privileges to inject malicious JavaScript into form labels and integration metadata, which executes in the Control Panel when administrators view the builder or integrations. Public exploit code exists for this vulnerability. The vulnerability is resolved in version 5.14.7.
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.