Vulnerability Description
An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&export_type_id=1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Formtools | Core | <= 3.0.20 |
Related Weaknesses (CWE)
References
- https://bernardofsr.github.io/blog/2021/form-tools/ExploitThird Party Advisory
- https://github.com/bernardofsr/CVEs-With-PoC/blob/main/PoCs/Form%20Tools/README.ExploitThird Party Advisory
- https://github.com/formtools/core/ProductThird Party Advisory
- https://www.formtools.org/ProductVendor Advisory
- https://bernardofsr.github.io/blog/2021/form-tools/ExploitThird Party Advisory
- https://github.com/bernardofsr/CVEs-With-PoC/blob/main/PoCs/Form%20Tools/README.ExploitThird Party Advisory
- https://github.com/formtools/core/ProductThird Party Advisory
- https://www.formtools.org/ProductVendor Advisory
FAQ
What is CVE-2021-38145?
CVE-2021-38145 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of ...
How severe is CVE-2021-38145?
CVE-2021-38145 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-38145?
Check the references section above for vendor advisories and patch information. Affected products include: Formtools Core.