CVE-2024-37160

Public Exploit
Formwork has a Cross-site scripting (XSS) vulnerability in Description metadata

Description

Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.

Category

4.8
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.10%
Vendor Advisory github.com
Affected: getformwork formwork
Published at:
Updated at:

References

Link Tags
https://github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6 exploit vendor advisory
https://github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b patch
https://github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5 patch

Frequently Asked Questions

What is the severity of CVE-2024-37160?
CVE-2024-37160 has been scored as a medium severity vulnerability.
How to fix CVE-2024-37160?
To fix CVE-2024-37160, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-37160 being actively exploited in the wild?
It is possible that CVE-2024-37160 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-37160?
CVE-2024-37160 affects getformwork formwork.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.