Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Form validation can be skipped
Vulnerability Description
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability Type
输入验证不恰当
Vulnerability Title
Neos/forms 输入验证错误漏洞
Vulnerability Description
Neos/forms是一个用于构建web表单的开源框架。 Neos/forms 存在安全漏洞,该漏洞源于程序通过创建一个包含有效表单状态的特殊"GET"请求,可以在不调用任何验证器的情况下提交表单。
CVSS Information
N/A
Vulnerability Type
N/A