{"id":"CVE-2023-33971","summary":"Formcreator vulnerable to stored XSS from ##FULLFORM##","details":"Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of `##FULLFORM##` for rendering. This could result in arbitrary javascript code execution in an admin/tech context. A patch is unavailable as of time of publication. As a workaround, one may use a regular expression to remove `\u003c \u003e \"` in all fields.","aliases":["GHSA-777g-3848-8r3g"],"modified":"2026-04-10T05:06:16.700568Z","published":"2023-05-31T17:56:18.413Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33971.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33971.json"},{"type":"ADVISORY","url":"https://github.com/pluginsGLPI/formcreator/security/advisories/GHSA-777g-3848-8r3g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33971"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pluginsglpi/formcreator","events":[{"introduced":"0"},{"last_affected":"c5223f04ad50ca595dd88c8daa98c7048bcbdffb"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.13.5"}]}}],"versions":["0.84-2.0","0.84-2.1","0.84-2.1.1","0.85-1.0","0.85-1.1","0.85-1.2","0.85-1.2.1","0.85-1.2.2","0.85-1.2.3","0.85-1.2.4","0.90-1.2.5","0.90-1.3","0.90-1.3.1","0.90-1.3.2","0.90-1.3.3","0.90-1.3.4","2.13.0","2.13.0-alpha.1","2.13.0-alpha.2","2.13.0-alpha.3","2.13.0-alpha.4","2.13.0-beta.1","2.13.0-beta.2","2.13.0-rc.1","2.13.0-rc.2","2.13.1","2.13.3","2.13.4","2.13.5","2.5.2","v2.6.4","v2.8.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33971.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}