Solspace Craft CMS Freeform Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Solspace Freeform plugin for Craft CMS, specifically in versions 5.0.0 through 5.14.6. This vulnerability allows authenticated, low-privilege users who can create or edit forms to inject arbitrary HTML or JavaScript into the Craft Control Panel's builder and integrations views. The issue arises because user-controlled form labels and integration metadata are rendered using 'dangerouslySetInnerHTML' without proper sanitization. As a result, any injected scripts are executed when an admin views the affected screens.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the admin Control Panel, potentially leading to session hijacking, CSRF token theft, and a full admin takeover through DOM-driven actions.

Reproduction

To reproduce this vulnerability, an authenticated user with form-editing permissions can inject malicious scripts into form labels or integration metadata. Once the data is saved, the injected script will execute when an admin views the form builder or integrations screen.

Remediation

Users can update to Solspace Freeform version 5.14.7, where this vulnerability has been fixed.