Umbraco Forms v13 - Getting Blank Submissions

cheeseytoastie · April 30, 2025, 10:09am

Client had an event over a couple of hours of getting blank form submissions.

They had hit most of their forms on the site - weird thing is we have Recaptcha v3 on the forms and required fields.

I assume Umbraco forms re-checks for mandatory fields server side - so I’m at a loss to explain how these are getting into the entries and being stored.

Is anyone else seeing an attack like this - perhaps there’s a new vulnerability in forms or someone has found something in a custom bit of code we’ve got that is breaking the serverside checks?

Steve

LuukPeters · April 30, 2025, 11:12am

Is there something in de logs that could help? And what version of Forms are you using?

cheeseytoastie · April 30, 2025, 11:30am

Umb v 13.7.2
Forms v 13.4.1

Having to request the log as it’s too large to display in the backoffice and I don’t have direct access to this client’s prod.

The fact the log is large is a flag…

cheeseytoastie · April 30, 2025, 11:32am

Seems similar to this

cheeseytoastie · April 30, 2025, 1:07pm

Theory (based on not much).

Could it be sanitised submissions. So there is content in the forms, then script tags and containing script is being stripped but still stored in the Umbraco Forms entries table?

It’s about the only thing I can think of that can explain how it’s bypassing the required flags and passing the validation front end back end!?

NikhilPrajapati · May 1, 2025, 12:06pm

Hey @cheeseytoastie,

I hope the required validation has been applied to the fields in Umbraco Forms backoffice, and if the issue is still happening, maybe adjusting the Recaptcha v3 score threshold could help resolve it!