CVE-2023-33971 Information

Description

Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of FULLFORM for rendering. This could result in arbitrary javascript code execution in an admin/tech context. A patch is unavailable as of time of publication. As a workaround one may use a regular expression to remove < > \ in all fields.

Reference

https://github.com/pluginsGLPI/formcreator/security/advisories/GHSA-777g-3848-8r3g