Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of `##FULLFORM##` for rendering. This could result in arbitrary javascript code execution in an admin/tech context. A patch is unavailable as of time of publication. As a workaround, one may use a regular expression to remove `< > "` in all fields.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-31T17:56:18.413Z

Updated: 2024-08-02T15:54:14.105Z

Reserved: 2023-05-24T13:46:35.954Z

Link: CVE-2023-33971

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-05-31T18:15:09.683

Modified: 2024-11-21T08:06:19.287

Link: CVE-2023-33971

cve-icon Redhat

No data.