CVE-2024-47633 in Zoho Forms Plugin
Summary
by MITRE • 10/05/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Zoho Forms zoho-forms allows Stored XSS.This issue affects Zoho Forms: from n/a through <= 4.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/05/2026
The vulnerability identified as CVE-2024-47633 represents a critical cross-site scripting flaw within Zoho Forms version 4.0 and earlier, specifically classified under CWE-79 as improper neutralization of input during web page generation. This vulnerability enables attackers to inject malicious scripts into web pages viewed by other users, creating a persistent security risk that can affect multiple users within the same organization. The flaw manifests in the way Zoho Forms processes and renders user input, failing to properly sanitize or escape data before incorporating it into web page content.
The technical exploitation of this stored XSS vulnerability occurs when an attacker crafts malicious input that gets stored within the application's database and subsequently rendered in web pages accessed by other users. This stored nature differentiates it from reflected XSS attacks, as the malicious payload persists and can affect multiple victims over time. The vulnerability affects all versions of Zoho Forms up to and including version 4.0, indicating a widespread exposure across the product's history. Attackers can leverage this weakness to execute malicious scripts in the context of the victim's browser, potentially stealing session cookies, performing unauthorized actions, or redirecting users to malicious sites.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to fully compromise user sessions and potentially escalate privileges within the Zoho Forms environment. According to ATT&CK framework, this vulnerability maps to T1531 (Run-time Application Masking) and T1059.007 (Command and Scripting Interpreter: JavaScript), as attackers can use the XSS to execute JavaScript code and manipulate the application's runtime behavior. The stored nature of the attack means that once the malicious payload is injected, it can affect any user who views the affected forms or pages, creating a persistent threat vector that can remain active for extended periods.
Organizations using Zoho Forms should immediately implement mitigations including input validation, output encoding, and proper sanitization of all user-provided content before storage and rendering. The recommended approach involves implementing Content Security Policy headers, utilizing secure coding practices that prevent script injection, and ensuring all user inputs are properly escaped when rendered in HTML contexts. Additionally, regular security updates and patch management should be enforced to address this vulnerability. Organizations should also consider implementing web application firewalls to detect and block suspicious input patterns that could indicate XSS attempts. The vulnerability's presence in versions up to 4.0 underscores the importance of maintaining current software versions and conducting regular security assessments to identify similar weaknesses in web applications.