Vulnerabilities were uncovered following the execution of penetration tests.

The first one could allow a user to have access to the preview mode when this user has access to the Forms results. And the second one could allow a user whose existing privileges grants him/her the ability to both upload files through a form and see the form results, to read any file on the file system accessible by the user running Jahia.

At the time of writing this security patch page, there have been no exploits published.

Impacted versions

• All versions of Forms are impacted to some extent by the vulnerability.

Patch addressing the attack vector

For the first situation, for each website with Forms installed, you can execute the following JCR-SQL2 query in the JCR Query Tool (JAHIA_URL/modules/tools/jcrQuery.jsp) to identify the forms for which a specific access has been granted (do not forget to change the SITE_KEY):

SELECT * FROM [jnt:ace] WHERE [j:aceType]='GRANT' AND [j:roles]='single-form-results-accessor' AND ISDESCENDANTNODE('/sites/SITE_KEY/formFactory/forms') 

For each form:

• Go to the Forms UI (jContent -> Forms -> Create and modify forms)
• Select the form you want and click on the button Modify
• Edit its metadata (gear wheel icon)
• Go to the tab Permissions
• Click on Can view results
• Do the necessary changes, close, save and publish the form

Once done, we strongly advise you to upgrade to Forms Core (3.11.0) to prevent both situations.