Publish GHSA-jp3q-wwp3-pwv9

advisory-database[bot] · advisory-database[bot] · commit 9eb732a6529b · 2026-01-22T21:42:37.000Z
diff --git a/advisories/github-reviewed/2026/01/GHSA-jp3q-wwp3-pwv9/GHSA-jp3q-wwp3-pwv9.json b/advisories/github-reviewed/2026/01/GHSA-jp3q-wwp3-pwv9/GHSA-jp3q-wwp3-pwv9.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jp3q-wwp3-pwv9",
+  "modified": "2026-01-22T21:42:16Z",
+  "published": "2026-01-22T21:41:14Z",
+  "aliases": [],
+  "summary": "Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue",
+  "details": "**Summary**\nAn authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with `dangerouslySetInnerHTML` without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.\n\n**Affected Product**\n- Ecosystem: Packagist (Craft CMS plugin)\n- Package: solspace/craft-freeform\n- Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.\n\n**Details**\n- Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using `dangerouslySetInnerHTML` without sanitization.\n- Evidence: `dangerouslySetInnerHTML` on user-controlled properties in bundled CP JS at [packages/plugin/src/Resources/js/client/client.js](packages/plugin/src/Resources/js/client/client.js#L1).\n\n**PoCs**\n- Label-based XSS:\n  1. In Craft CP, create/edit a Freeform field and set its label to `<img src=x onerror=\"alert('xss-label')\">`.\n  2. Open the form builder view containing the field.\n  3. Alert executes (stored XSS).\n- Integration icon SVG:\n  1. Set an integration \"icon SVG\" to `<svg><script>alert('xss-icon')</script></svg>`.\n  2. Open the integrations CP view.\n  3. Script executes.\n\n**Impact**\nArbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.\n\n**Remediation**\n- Sanitize/HTML-encode all user-controlled strings before passing to `dangerouslySetInnerHTML`, or avoid it for labels/titles/icons.\n- Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.\n- Add regression tests with `<img onerror>` payloads to ensure no execution in builder/integration views.\n\n**Workarounds**\n- Restrict form-edit permissions to trusted admins only until patched.\n- Consider CSP that disallows inline scripts (defense-in-depth only).\n\n**Credits**\n- Discovered by https://www.linkedin.com/in/praveenkavinda/ | Prav33N-Sec.\n\n**Disclosure / CVE Request**\n- Request CVE for this confirmed stored XSS.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "solspace/craft-freeform"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.14.7"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.14.6"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/solspace/craft-freeform"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-22T21:41:14Z",
+    "nvd_published_at": null
+  }
+}
