Improper Validation of Specified Index, Position, or Offset in Input in getformwork/formwork

Q: How to fix?

A fix was pushed into the master branch but not yet published.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PHP-GETFORMWORKFORMWORK-9055238
published2 Mar 2025
disclosed1 Mar 2025
creditKyokito1412

Report a new vulnerability Found a mistake?

Introduced: 1 Mar 2025

NewCWE-1285 (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

getformwork/formwork is an a file-based Content Management System (CMS) to make and manage simple sites.

Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input due to improper user input sanitization passed through the Role field on the /panel/users/{name}/profile page. An attacker can disrupt the availability of the site and administration panel by injecting invalid user role values. This is only exploitable if the attacker has high privileges or admin access.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Validation of Specified Index, Position, or Offset in Input Affecting getformwork/formwork package, versions >=0.0.0

Severity