CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CVE-2024-12583 (GCVE-0-2024-12583)
Vulnerability from cvelistv5 – Published: 2025-01-04 08:22 – Updated: 2026-04-08 17:03
VLAI
Title
Dynamics 365 Integration <= 1.3.23 - Authenticated (Contributor+) Remote Code Execution and Arbitrary File Read via Twig Server-Side Template Injection
Summary
The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Severity
9.9 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| alexacrm | Dynamics 365 Integration |
Affected:
0 , ≤ 1.3.23
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T16:18:46.655922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T16:34:41.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dynamics 365 Integration",
"vendor": "alexacrm",
"versions": [
{
"lessThanOrEqual": "1.3.23",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:03:18.814Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3dac5a-9ff8-4e8c-8c73-422123e121d8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integration-dynamics/trunk/src/Shortcode/Twig.php#L53"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3210927/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-03T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Dynamics 365 Integration \u003c= 1.3.23 - Authenticated (Contributor+) Remote Code Execution and Arbitrary File Read via Twig Server-Side Template Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12583",
"datePublished": "2025-01-04T08:22:51.633Z",
"dateReserved": "2024-12-12T17:26:16.839Z",
"dateUpdated": "2026-04-08T17:03:18.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-23692 (GCVE-0-2024-23692)
Vulnerability from cvelistv5 – Published: 2024-05-31 09:36 – Updated: 2025-11-22 12:13 Unsupported When Assigned
VLAI
Title
Rejetto HTTP File Server 2.3m Unauthenticated RCE
Summary
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
Severity
9.8 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vulncheck.com/advisories/rejetto-unauth-rce | third-party-advisory |
| https://mohemiv.com/all/rejetto-http-file-server-… | third-party-advisorytechnical-description |
| https://github.com/rapid7/metasploit-framework/pu… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rejetto | HTTP File Server |
Affected:
0 , ≤ 2.3m
(custom)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rejetto:http_file_server:2.3m:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "http_file_server",
"vendor": "rejetto",
"versions": [
{
"lessThanOrEqual": "2.3m",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23692",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T03:55:17.635887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-07-09",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23692"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:05:17.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23692"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-09T00:00:00.000Z",
"value": "CVE-2024-23692 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-06-17T19:51:35.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.vicarius.io/vsociety/posts/unauthenticated-rce-flaw-in-rejetto-http-file-server-cve-2024-23692"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-23692-detect-rejetto-hfs-vulnerability"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-23692-rejetto-hfs-mitigate-vulnerability"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vulncheck.com/advisories/rejetto-unauth-rce"
},
{
"tags": [
"third-party-advisory",
"technical-description",
"x_transferred"
],
"url": "https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/19240"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HTTP File Server",
"vendor": "Rejetto",
"versions": [
{
"lessThanOrEqual": "2.3m",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rejetto:http_file_server:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.3m",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arseniy Sharoglazov"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.\u003cbr\u003e"
}
],
"value": "Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Private exploits are known to exist\u003cbr\u003e"
}
],
"value": "Private exploits are known to exist"
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-22T12:13:59.165Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/rejetto-unauth-rce"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/"
},
{
"url": "https://github.com/rapid7/metasploit-framework/pull/19240"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Rejetto HTTP File Server 2.3m Unauthenticated RCE",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2024-23692",
"datePublished": "2024-05-31T09:36:28.763Z",
"dateReserved": "2024-01-19T17:35:14.201Z",
"dateUpdated": "2025-11-22T12:13:59.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-25624 (GCVE-0-2024-25624)
Vulnerability from cvelistv5 – Published: 2024-04-25 16:30 – Updated: 2024-08-01 23:44
VLAI
Title
iris-web vulnerable to Server Side Template Injection in reports
Summary
Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. Due to an improper setup of Jinja2 environment, reports generation in `iris-web` is prone to a Server Side Template Injection (SSTI). Successful exploitation of the vulnerability can lead to an arbitrary Remote Code Execution. An authenticated administrator has to upload a crafted report template containing the payload. Upon generation of a report based on the weaponized report, any user can trigger the vulnerability. The vulnerability is patched in IRIS v2.4.6. No workaround is available. It is recommended to update as soon as possible. Until patching, review the report templates and keep the administrative privileges that include the upload of report templates limited to dedicated users.
Severity
6.8 (Medium)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/dfir-iris/iris-web/security/ad… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dfir-iris:iris:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "iris",
"vendor": "dfir-iris",
"versions": [
{
"lessThan": "2.4.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-25T18:27:39.355759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:35:17.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.705Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m64w-f7fg-hpcr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m64w-f7fg-hpcr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iris-web",
"vendor": "dfir-iris",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. Due to an improper setup of Jinja2 environment, reports generation in `iris-web` is prone to a Server Side Template Injection (SSTI). Successful exploitation of the vulnerability can lead to an arbitrary Remote Code Execution. An authenticated administrator has to upload a crafted report template containing the payload. Upon generation of a report based on the weaponized report, any user can trigger the vulnerability. The vulnerability is patched in IRIS v2.4.6. No workaround is available. It is recommended to update as soon as possible. Until patching, review the report templates and keep the administrative privileges that include the upload of report templates limited to dedicated users. \n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-25T16:30:43.979Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m64w-f7fg-hpcr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m64w-f7fg-hpcr"
}
],
"source": {
"advisory": "GHSA-m64w-f7fg-hpcr",
"discovery": "UNKNOWN"
},
"title": "iris-web vulnerable to Server Side Template Injection in reports"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25624",
"datePublished": "2024-04-25T16:30:43.979Z",
"dateReserved": "2024-02-08T22:26:33.511Z",
"dateUpdated": "2024-08-01T23:44:09.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28116 (GCVE-0-2024-28116)
Vulnerability from cvelistv5 – Published: 2024-03-21 21:44 – Updated: 2024-08-02 00:48
VLAI
Title
Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass
Summary
Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.
Severity
8.8 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/getgrav/grav/security/advisori… | x_refsource_CONFIRM |
| https://github.com/getgrav/grav/commit/4149c81339… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "grav",
"vendor": "getgrav",
"versions": [
{
"lessThan": "1.7.45",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28116",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T20:55:43.128996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T20:56:23.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
},
{
"name": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grav",
"vendor": "getgrav",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.45"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-21T21:44:29.489Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
},
{
"name": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
}
],
"source": {
"advisory": "GHSA-c9gp-64c4-2rrh",
"discovery": "UNKNOWN"
},
"title": "Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28116",
"datePublished": "2024-03-21T21:44:29.489Z",
"dateReserved": "2024-03-04T14:19:14.060Z",
"dateUpdated": "2024-08-02T00:48:49.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30372 (GCVE-0-2024-30372)
Vulnerability from cvelistv5 – Published: 2024-11-22 20:05 – Updated: 2024-11-25 17:56
VLAI
Title
Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability
Summary
Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is required to exploit this vulnerability.
The specific flaw exists within the implementation of getLinkText method. The issue results from the lack of proper validation of a user-supplied string before processing it with the template engine. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-23609.
Severity
8.8 (High)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://alltena.com/en/resources/release-notes/re… | vendor-advisory |
Date Public
2024-08-22 20:34
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:alltena:allegra:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "allegra",
"vendor": "alltena",
"versions": [
{
"lessThan": "7.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-25T17:55:42.610175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T17:56:00.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Allegra",
"vendor": "Allegra",
"versions": [
{
"status": "affected",
"version": "7.5.2"
}
]
}
],
"dateAssigned": "2024-03-26T19:40:42.730Z",
"datePublic": "2024-08-22T20:34:28.412Z",
"descriptions": [
{
"lang": "en",
"value": "Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of getLinkText method. The issue results from the lack of proper validation of a user-supplied string before processing it with the template engine. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-23609."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T20:05:18.344Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-1165",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1165/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://alltena.com/en/resources/release-notes/relnotes-7-5-2"
}
],
"source": {
"lang": "en",
"value": "Anonymous"
},
"title": "Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-30372",
"datePublished": "2024-11-22T20:05:18.344Z",
"dateReserved": "2024-03-26T18:52:36.419Z",
"dateUpdated": "2024-11-25T17:56:00.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32651 (GCVE-0-2024-32651)
Vulnerability from cvelistv5 – Published: 2024-04-25 23:49 – Updated: 2025-02-13 17:52
VLAI
Title
Server Side Template Injection in Jinja2 allows Remote Command Execution
Summary
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
Severity
10 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/dgtlmoon/changedetection.io/se… | x_refsource_CONFIRM |
| https://github.com/dgtlmoon/changedetection.io/re… | x_refsource_MISC |
| https://www.onsecurity.io/blog/server-side-templa… | x_refsource_MISC |
| https://blog.hacktivesecurity.com/index.php/2024/… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dgtlmoon | changedetection.io |
Affected:
<= 0.45.20
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dgtlmoon:changedetection.io:0.45.20:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "changedetection.io",
"vendor": "dgtlmoon",
"versions": [
{
"status": "affected",
"version": "0.45.20"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32651",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T19:43:06.358800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T19:45:58.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.303Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"
},
{
"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"
},
{
"name": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "changedetection.io",
"vendor": "dgtlmoon",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.45.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn\u0027t required by the application (not by default and not enforced)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T17:06:59.504Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"
},
{
"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"
},
{
"name": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"
},
{
"url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/"
}
],
"source": {
"advisory": "GHSA-4r7v-whpg-8rx3",
"discovery": "UNKNOWN"
},
"title": "Server Side Template Injection in Jinja2 allows Remote Command Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32651",
"datePublished": "2024-04-25T23:49:28.540Z",
"dateReserved": "2024-04-16T14:15:26.876Z",
"dateUpdated": "2025-02-13T17:52:14.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34710 (GCVE-0-2024-34710)
Vulnerability from cvelistv5 – Published: 2024-05-20 21:59 – Updated: 2024-08-02 02:59
VLAI
Title
Wiki.js Stored XSS through Client Side Template Injection
Summary
Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection of a invalid HTML tag with a template injection payload on the next line. This vulnerability is fixed in 2.5.303.
Severity
7.1 (High)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/requarks/wiki/security/advisor… | x_refsource_CONFIRM |
| https://github.com/requarks/wiki/commit/1238d614e… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:requarks:wiki.js:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wiki.js",
"vendor": "requarks",
"versions": [
{
"lessThanOrEqual": "2.5.302",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34710",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T14:08:35.033091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:10:38.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf"
},
{
"name": "https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wiki",
"vendor": "requarks",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.5.302"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection of a invalid HTML tag with a template injection payload on the next line. This vulnerability is fixed in 2.5.303.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-20T21:59:16.606Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf"
},
{
"name": "https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac"
}
],
"source": {
"advisory": "GHSA-xjcj-p2qv-q3rf",
"discovery": "UNKNOWN"
},
"title": "Wiki.js Stored XSS through Client Side Template Injection "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34710",
"datePublished": "2024-05-20T21:59:16.606Z",
"dateReserved": "2024-05-07T13:53:00.133Z",
"dateUpdated": "2024-08-02T02:59:22.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35191 (GCVE-0-2024-35191)
Vulnerability from cvelistv5 – Published: 2024-05-20 20:26 – Updated: 2024-08-02 03:07
VLAI
Title
verbb/formie Server-Side Template Injection for variable-enabled settings
Summary
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.
Severity
4.4 (Medium)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/verbb/formie/security/advisori… | x_refsource_CONFIRM |
| https://github.com/verbb/formie/commit/90296edf7e… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:verbb:formie:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "formie",
"vendor": "verbb",
"versions": [
{
"lessThan": "2.1.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T14:44:43.052581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:18:34.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5"
},
{
"name": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "formie",
"vendor": "verbb",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form\u0027s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-20T20:26:24.492Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5"
},
{
"name": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420"
}
],
"source": {
"advisory": "GHSA-v45m-hxqp-fwf5",
"discovery": "UNKNOWN"
},
"title": "verbb/formie Server-Side Template Injection for variable-enabled settings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35191",
"datePublished": "2024-05-20T20:26:24.492Z",
"dateReserved": "2024-05-10T14:24:24.341Z",
"dateUpdated": "2024-08-02T03:07:46.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37301 (GCVE-0-2024-37301)
Vulnerability from cvelistv5 – Published: 2024-06-11 18:34 – Updated: 2026-02-04 19:40
VLAI
Title
document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection
Summary
Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.
Severity
7.2 (High)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/adfinis/document-merge-service… | x_refsource_CONFIRM |
| https://github.com/adfinis/document-merge-service… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| adfinis | document-merge-service |
Affected:
< 6.5.2
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:adfinis:document_merge_service:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "document_merge_service",
"vendor": "adfinis",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37301",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T20:18:28.016202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T20:21:20.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.118Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6"
},
{
"name": "https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "document-merge-service",
"vendor": "adfinis",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:40:11.164Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6"
},
{
"name": "https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074"
}
],
"source": {
"advisory": "GHSA-v5gf-r78h-55q6",
"discovery": "UNKNOWN"
},
"title": "document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37301",
"datePublished": "2024-06-11T18:34:38.374Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2026-02-04T19:40:11.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-38363 (GCVE-0-2024-38363)
Vulnerability from cvelistv5 – Published: 2024-07-09 14:10 – Updated: 2024-08-02 04:04
VLAI
Title
Remote Code Execution (RCE) via Server Side Template Injection (SSTI) in Airbyte
Summary
Airbyte is a data integration platform for ELT pipelines. Airbyte connection builder docker image is vulnerable to RCE via SSTI which allows an authenticated remote attacker to execute arbitrary code on the server as the web server user. The connection builder is used to create and test new connectors. Sensitive information, such as credentials, could be exposed if a user tested a new connector on a compromised instance. The connection builder does not have access to any data processes. This vulnerability is fixed in 0.62.2.
Severity
8.6 (High)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/airbytehq/airbyte/security/adv… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:airbyte:airbytehq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "airbytehq",
"vendor": "airbyte",
"versions": [
{
"lessThan": "0.62.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38363",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T14:29:59.326680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T14:32:40.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:25.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "airbyte",
"vendor": "airbytehq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.62.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Airbyte is a data integration platform for ELT pipelines. Airbyte connection builder docker image is vulnerable to RCE via SSTI which allows an authenticated remote attacker to execute arbitrary code on the server as the web server user. The connection builder is used to create and test new connectors. Sensitive information, such as credentials, could be exposed if a user tested a new connector on a compromised instance. The connection builder does not have access to any data processes. This vulnerability is fixed in 0.62.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T14:10:47.792Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq"
}
],
"source": {
"advisory": "GHSA-4j3c-fgvx-xgqq",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) via Server Side Template Injection (SSTI) in Airbyte"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38363",
"datePublished": "2024-07-09T14:10:47.792Z",
"dateReserved": "2024-06-14T14:16:16.465Z",
"dateUpdated": "2024-08-02T04:04:25.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
Mitigation
Phase: Implementation
Description:
- Use the template engine's sandbox or restricted mode, if available.
No CAPEC attack patterns related to this CWE.