{"id":"CVE-2021-38144","details":"An issue was discovered in Form Tools through 3.0.20. A low-privileged user can trigger Reflected XSS when a viewing a form via the submission_id parameter, e.g., clients/forms/edit_submission.php?form_id=1&view_id=1&submission_id=[XSS].","modified":"2026-03-14T11:04:51.073764Z","published":"2021-08-31T05:15:06.650Z","references":[{"type":"ADVISORY","url":"https://www.formtools.org/"},{"type":"PACKAGE","url":"https://github.com/formtools/core"},{"type":"EVIDENCE","url":"https://bernardofsr.github.io/blog/2021/form-tools/"},{"type":"EVIDENCE","url":"https://github.com/bernardofsr/CVEs-With-PoC/blob/main/PoCs/Form%20Tools/README.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/formtools/core","events":[{"introduced":"0"},{"last_affected":"051a533bdbfed367e9c6cac19a834d79b490377e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.0.20"}]}}],"versions":["2.0.0","2.0.0-beta-20081219","2.0.0-beta-20081223","2.0.0-beta-20081230","2.0.0-beta-20090101","2.0.0-beta-20090104","2.0.0-beta-20090105","2.0.0-beta-20090106","2.0.0-beta-20090107","2.0.0-beta-20090108","2.0.0-beta-20090111","2.0.0-beta-20090112","2.0.0-beta-20090113","2.0.0-beta-20090114","2.0.0-beta-20090117","2.0.0-beta-20090120","2.0.0-beta-20090131","2.0.0-beta-20090211","2.0.0-beta-20090217","2.0.0-beta-20090223","2.0.0-beta-20090301","2.0.0-beta-20090302","2.0.0-beta-20090305","2.0.0-beta-20090308","2.0.0-beta-20090309","2.0.0-beta-20090312","2.0.0-beta-20090317","2.0.0-beta-20090318","2.0.0-beta-20090319","2.0.0-beta-20090320","2.0.0-beta-20090321","2.0.0-beta-20090327","2.0.0-beta-20090402","2.0.0-beta-20090404","2.0.0-beta-20090407","2.0.0-beta-20090409","2.0.0-beta-20090414","2.0.0-beta-20090427","2.0.0-beta-20090428","2.0.0-beta-20090509","2.0.0-beta-20090510","2.0.0-beta-20090511","2.0.0-beta-20090518","2.0.0-beta-20090524","2.0.0-beta-20090614","2.0.0-beta-20090627","2.0.0-beta-20090712","2.0.0-beta-20090808","2.0.0-beta-20090809","2.0.0-beta-20090815","2.0.0-beta-20090823","2.0.0-beta-20090826","2.0.0-beta-20090908","2.0.0-beta-20090926","2.0.0-beta-20091003","2.0.0-beta-20091012","2.0.0-beta-20091021","2.0.0-beta-20091030","2.0.0-beta-20091101","2.0.0-beta-20091113","2.0.0-beta-20091116","2.0.0-beta-20091122","2.0.0-beta-20091210","2.0.0-beta-20091212","2.0.0-beta-20091213","2.0.0-beta-20091216","2.0.0-beta-20091224","2.0.0-beta-20100101","2.0.0-beta-20100118","2.0.1","2.0.1-beta-20100410","2.0.1-beta-20100425","2.0.1-beta-20100428","2.0.1-beta-20100516","2.0.2","2.0.3","2.0.3-beta-20100731","2.0.3-beta-20100807","2.0.3-beta-20100908","2.0.3-beta-20100911","2.0.3-beta-20100914","2.0.3-beta-20100915","2.0.3-beta-20100919","2.0.4","2.0.5","2.0.6","2.1.0","2.1.0-alpha-20110426","2.1.0-alpha-20110519","2.1.0-alpha-20110521","2.1.0-alpha-20110522","2.1.0-alpha-20110526","2.1.0-alpha-20110527","2.1.0-alpha-20110528","2.1.0-alpha-20110530","2.1.0-alpha-20110603","2.1.0-alpha-20110607","2.1.0-alpha-20110609","2.1.0-alpha-20110614","2.1.0-beta-20110616","2.1.0-beta-20110618","2.1.0-beta-20110620","2.1.0-beta-20110622","2.1.0-beta-20110623","2.1.0-beta-20110626","2.1.0-beta-20110630","2.1.0-beta-20110702","2.1.0-beta-20110710","2.1.0-beta-20110713","2.1.0-beta-20110714","2.1.0-beta-20110716","2.1.0-beta-20110720","2.1.0-beta-20110729","2.1.0-beta-20110730","2.1.0-beta-20110731","2.1.0-beta-20110802","2.1.0-beta-20110807","2.1.0-beta-20110809","2.1.0-beta-20110811","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.2.0","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","3.0.0","3.0.0-alpha-20170916","3.0.0-alpha-20170917","3.0.0-alpha-20170922","3.0.0-alpha-20170924","3.0.0-alpha-20170927","3.0.0-alpha-20170930","3.0.0-alpha-20171005","3.0.0-alpha-20171007","3.0.0-alpha-20171014","3.0.0-alpha-20171017","3.0.0-alpha-20171019","3.0.0-alpha-20171023","3.0.0-alpha-20171029","3.0.0-alpha-20171107","3.0.0-alpha-20171108","3.0.0-alpha-20171111","3.0.0-alpha-20171122","3.0.0-alpha-20171123","3.0.0-alpha-20171127","3.0.0-alpha-20171128","3.0.0-alpha-20171214","3.0.0-alpha-20171215","3.0.0-alpha-20171218","3.0.0-alpha-20171220","3.0.0-alpha-20171225","3.0.0-alpha-20171230","3.0.0-alpha-20180103","3.0.0-alpha-20180114","3.0.0-alpha-20180127","3.0.0-alpha-20180201","3.0.0-beta-20180206","3.0.0-beta-20180224","3.0.0-beta-20180312","3.0.0-beta-20180315","3.0.0-beta-20180318","3.0.0-beta-20180320","3.0.0-beta-20180410","3.0.1","3.0.10","3.0.11","3.0.13","3.0.2","3.0.20","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38144.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}