GHSA-m5vx-8chx-qvmm · 深刻度: medium · エコシステム: composer — Form validation can be skipped
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567
総合評価: CVE-2021-32697 は中リスク(48.4/100)。CVSS 深刻度は中。悪用される可能性が高い(EPSS 1.12%、62 パーセンタイル) 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.40% | 1.12% | +0.73% |
| 2 | 2025-03-30 | 0.46% | 0.40% | -0.07% |
| 3 | 2025-03-29 | — | 0.46% | — |
EPSS の全履歴 (全 9 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
3.9 | 2.5 | [email protected] |
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-m5vx-8chx-qvmm · 深刻度: medium · エコシステム: composer — Form validation can be skipped
| URL | タグ |
|---|---|
| https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1 | Broken Link |
| https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567 | Patch Third Party Advisory |
| https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246 | Patch Third Party Advisory |
| https://github.com/neos/form/releases/tag/5.1.3 | Release Notes Third Party Advisory |
| https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm | Third Party Advisory |