In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0.
References
Link | Resource |
---|---|
https://github.com/barrelstrength/craft-sprout-forms/blob/v3/CHANGELOG.md#390---2020-04-09-critical | Release Notes |
https://github.com/barrelstrength/craft-sprout-forms/security/advisories/GHSA-px8v-hxxx-2rgh | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-05-07T20:50:12
Updated: 2020-05-07T20:50:12
Reserved: 2020-03-30T00:00:00
Link: CVE-2020-11056
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-05-07T21:15:11.857
Modified: 2021-10-26T20:00:38.957
Link: CVE-2020-11056
JSON object: View
Redhat Information
No data.