Security Bulletin: Important Update on Convert Forms

Two security issues were recently identified in the Convert Forms extension by Emanuele Ricciardelli and Horizon Security’s Offensive Team. We appreciate their effort in helping us resolve these issues quickly.

Details

1. Unrestricted File Upload Vulnerability

A vulnerability was found in Convert Forms versions prior to 4.4.8. This issue allowed attackers to bypass file type restrictions set by form creators and upload unauthorized files to the server. This could potentially lead to the distribution of malicious files or, in some cases, the execution of harmful code on the server. Exploiting this issue requires specific conditions and advanced technical knowledge. Read more

2. Reflected Cross-Site Scripting (XSS) Vulnerability

Another issue identified in Convert Forms versions prior to 4.4.8 was a Reflected XSS vulnerability. It allowed an attacker to upload a file with a malicious code in its name via a specially crafted web page. Under certain conditions, the code could be executed in the victim’s browser. This attack also demands a high level of technical expertise and specific conditions. Read more

What You Should Do

These issues were fixed in version 4.4.8 of Convert Forms. To protect your website:

• Update to Convert Forms 4.4.8 or newer. This update resolves both vulnerabilities.
• Regularly update your extensions and frameworks. Keeping your software current is essential for security.
• Review file upload settings. Only allow necessary file types and consider adding more security measures.

These vulnerabilities are rare and require specific conditions to exploit. We have not received any reports of active exploitation. By updating your extension, you can continue using Convert Forms confidently.