CVE-2020-11056 HIGH

CVE-2020-11056: Potential Code Injection in Sprout Forms

Vendor Barrelstrength
Product Sprout Forms
Weakness CWE-94 · Code injection
Published May 7, 2020
Last update August 4, 2024

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0.

Key dates

02Disclosure timeline

May 7, 2020 CVE published
August 4, 2024 Record updated