formio 4.2.6-rc.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the formio package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Handling of Case Sensitivity formio is an A Form and Data Management Platform for Progressive Web Applications Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via improper handling of the `path` parameter. An attacker can gain unauthorized access to protected API endpoints by sending specially crafted request paths. Note: This is only exploitable if the application is configured to expose endpoints that rely on the affected path authorization logic. How to fix Improper Handling of Case Sensitivity? Upgrade `formio` to version 3.5.7-rc.1, 4.4.3-rc.1 or higher.	<3.5.7-rc.1>=4.0.0-rc.1 <4.4.3-rc.1
H Remote Code Execution (RCE) formio is an A Form and Data Management Platform for Progressive Web Applications Affected versions of this package are vulnerable to Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) during the deletion of the default email template URL. Note: This issue is only exploitable if using the default template service. The email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and only executable by admins. How to fix Remote Code Execution (RCE)? There is no fixed version for `formio`.	*

Vulnerability

Vulnerable Version

Improper Handling of Case Sensitivity

formio is an A Form and Data Management Platform for Progressive Web Applications

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via improper handling of the path parameter. An attacker can gain unauthorized access to protected API endpoints by sending specially crafted request paths.

Note: This is only exploitable if the application is configured to expose endpoints that rely on the affected path authorization logic.

How to fix Improper Handling of Case Sensitivity?

Upgrade formio to version 3.5.7-rc.1, 4.4.3-rc.1 or higher.

<3.5.7-rc.1>=4.0.0-rc.1 <4.4.3-rc.1

Remote Code Execution (RCE)

formio is an A Form and Data Management Platform for Progressive Web Applications

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) during the deletion of the default email template URL.

Note:

This issue is only exploitable if using the default template service. The email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and only executable by admins.

How to fix Remote Code Execution (RCE)?

There is no fixed version for formio.

formio@4.2.6-rc.1 vulnerabilities

The formio server application.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically