Form Builder - Less critical - Cross Site Scripting

Project

Form Builder

Date

May 14, 2025

Severity

Less Critical

Risk Score

6 ∕ 25 AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:All

Vulnerability

Cross Site Scripting

Affected versions

≤ 7.x-1.22, ≤ 7.x-2.0-alpha8

Description

The Form Builder module provides an interface for editing and configuring forms. The module doesn't sufficiently sanitize JSON data, allowing persistent Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter specially formatted HTML link tags containing a payload with malicious JSON data.

Solution

Install the latest version for the branch you are using:

form_builder-7.x-1.23.tar.gz
form_builder-7.x-1.23.zip
form_builder-7.x-2.0-alpha9.gz
form_builder-7.x-2.0-alpha9.zip

Reported by

Yonatan Offek (poiu)

Fixed by

Tag1 D7ES

Coordinated by

Tag1 D7ES