Platform
php
Component
mirage
Fixed in
3.1.2
A code injection vulnerability has been identified in Form Tools versions 3.1.1. This issue resides within the Setting Handler component, specifically the /admin/settings/index.php?page=accounts file. Attackers can exploit this vulnerability by manipulating the 'Page Theme' argument, potentially leading to unauthorized code execution. The vulnerability has been publicly disclosed and a fix is available in version 3.1.2.
Successful exploitation of CVE-2024-6936 allows an attacker to inject and execute arbitrary code on the server hosting Form Tools. This could lead to complete system compromise, including data theft, modification, or deletion. The attacker could potentially gain administrative access to the Form Tools installation and any associated databases. Given the web-based nature of Form Tools, this vulnerability could also be leveraged for lateral movement within the network if the server has access to other internal resources. The impact is amplified if Form Tools is used to handle sensitive user data, as this data could be exposed or manipulated.
This vulnerability was publicly disclosed on 2024-07-21. The vulnerability identifier is VDB-271991. The vendor was contacted but did not respond. No public proof-of-concept (PoC) code has been widely reported, but the disclosure indicates the vulnerability is exploitable. The low CVSS score suggests the exploit may require specific conditions or user interaction.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6936 is to upgrade Form Tools to version 3.1.2 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing temporary workarounds such as restricting access to the /admin/settings/index.php?page=accounts endpoint to trusted users only. Web Application Firewalls (WAFs) can be configured to filter requests containing suspicious input in the 'Page Theme' parameter. Thoroughly review and sanitize all user input before processing it within the Form Tools application.
Update Form Tools to a version later than 3.1.1, if one exists, where the code injection vulnerability has been fixed. If no patched version is available, consider disabling or removing the affected component until a solution is published. Monitor the vendor's security updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6936 is a code injection vulnerability in Form Tools 3.1.1 affecting the Setting Handler. Attackers can inject code by manipulating the 'Page Theme' parameter, potentially leading to remote code execution.
Yes, if you are running Form Tools version 3.1.1, you are vulnerable to this code injection flaw. Upgrade to version 3.1.2 or later to mitigate the risk.
The recommended fix is to upgrade Form Tools to version 3.1.2 or later. As a temporary workaround, restrict access to the vulnerable endpoint and implement WAF rules.
While no widespread exploitation has been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
The vulnerability is documented in the VDB (Vulnerability Database) with identifier VDB-271991. Refer to the Form Tools website or community forums for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.