Skip to content

Potential Code Injection in Sprout Forms

Critical severity GitHub Reviewed Published May 4, 2020 in barrelstrength/craft-sprout-forms • Updated Feb 1, 2023

Package

composer barrelstrength/sprout-base-email (Composer)

Affected versions

< 1.2.7

Patched versions

1.2.7
composer barrelstrength/sprout-forms (Composer)
< 3.9.0
3.9.0

Description

Impact

A potential Server-Side Template Injection vulnerability exists in Sprout Forms which could lead to the execution of Twig code.

Patches

The problem is fixed inbarrelstrength/sprout-forms:v3.9.0 which upgrades to barrelstrength/sprout-base-email:v1.2.7

Workarounds

Users unable to upgrade should update any Notification Emails to use the "Basic Notification (Sprout Email)" template and avoid using the "Basic Notification (Sprout Forms)" template or any custom templates that display Form Fields.

References

  • See the release notes in the CHANGELOG
  • Credits to Paweł Hałdrzyński, Daniel Kalinowski from ISEC.PL for discovery and responsible disclosure

For more information

If you have any questions or comments about this advisory:

References

Last updated Feb 1, 2023
Published to the GitHub Advisory Database May 8, 2020
Reviewed May 8, 2020
Published by the National Vulnerability Database May 7, 2020

Severity

Critical

CVE ID

CVE-2020-11056

GHSA ID

GHSA-px8v-hxxx-2rgh

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.