CVE-2024-35191 Information

Description

Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6 users with access to a form’s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission or rendering the text. This has been fixed in Formie 2.1.6.

Reference

https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5 https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420