CVE-2022-31041

MEDIUM
Published Jun 13, 20224y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Jun 13, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users (e.g. only PDF / Excel / ...). The input validation of uploaded files is insufficient in versions prior to 1.0.9 and 1.1.1. Users could alter or strip file extensions to bypass this validation. This results in files being uploaded to the server that are of a different file type than indicated by the file name extension. These files may be downloaded (manually or automatically) by staff and/or other applications for further processing. Malicious files can therefore find their way into internal/trusted networks. Versions 1.0.9 and 1.1.1 contain patches for this issue. As a workaround, an API gateway or intrusion detection solution in front of open-forms may be able to scan for and block malicious content before it reaches the Open Forms application.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

Affected Products 4

VendorProductVersionRange
maykinmediaopen_forms* <1.0.9
maykinmediaopen_forms1.1.0any
maykinmediaopen_forms1.1.0any
maykinmediaopen_forms1.1.0any

References 2

  • github.com https://github.com/open-formulieren/open-forms/commit/0978a29e821a7228c5d46c0527c3e925eb91b071
    PatchThird Party Advisory
  • github.com https://github.com/open-formulieren/open-forms/security/advisories/GHSA-h85r-xv4w-cg8g
    Third Party Advisory

Remediation

  • github.com https://github.com/open-formulieren/open-forms/commit/0978a29e821a7228c5d46c0527c3e925eb91b071
    PatchThird Party Advisory