Common Weakness Enumeration
CWE-1336
AllowedImproper Neutralization of Special Elements Used in a Template Engine
Abstraction: Base · Status: Incomplete
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
313 vulnerabilities reference this CWE, most recent first.
CVE-2024-48962 (GCVE-0-2024-48962)
Vulnerability from cvelistv5 – Published: 2024-11-18 08:41 – Updated: 2026-05-04 14:55
VLAI
EPSS
VEX
Title
Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)
Summary
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.17.
Users are recommended to upgrade to version 18.12.17, which fixes the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://ofbiz.apache.org/download.html | mitigationrelease-notesproduct |
| https://ofbiz.apache.org/security.html | patch |
| https://issues.apache.org/jira/browse/OFBIZ-13162 | issue-tracking |
| https://lists.apache.org/thread/6sddh4pts90cp8kts… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/11/16/2 |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.17
(semver)
|
|
| apache | ofbiz |
Affected:
0 , < 18.12.17
(semver)
cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-18T09:03:47.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/16/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThan": "18.12.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:43:23.785657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T15:34:27.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sebastiano Sartor \u003cs@sebsrt.xyz\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan Chan \u003chttps://www.linkedin.com/in/ryanchan07/\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Control of Generation of Code (\u0027Code Injection\u0027), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.17.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.17, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:H/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T14:55:28.249Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"release-notes",
"product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13162"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-48962",
"datePublished": "2024-11-18T08:41:30.545Z",
"dateReserved": "2024-10-10T06:25:35.776Z",
"dateUpdated": "2026-05-04T14:55:28.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45053 (GCVE-0-2024-45053)
Vulnerability from cvelistv5 – Published: 2024-09-04 16:04 – Updated: 2024-09-04 18:02
VLAI
EPSS
VEX
Title
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
Summary
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ethyca/fides/security/advisori… | x_refsource_CONFIRM |
| https://github.com/ethyca/fides/commit/829cbd9cb5… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.44.0",
"status": "affected",
"version": "2.19.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T18:01:28.427738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T18:02:37.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:04:03.741Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx"
},
{
"name": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5"
}
],
"source": {
"advisory": "GHSA-c34r-238x-f7qx",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45053",
"datePublished": "2024-09-04T16:04:03.741Z",
"dateReserved": "2024-08-21T17:53:51.332Z",
"dateUpdated": "2024-09-04T18:02:37.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42356 (GCVE-0-2024-42356)
Vulnerability from cvelistv5 – Published: 2024-08-08 14:52 – Updated: 2024-08-09 15:55
VLAI
EPSS
VEX
Title
Shopware vulnerable to Server Side Template Injection in Twig using Context functions
Summary
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin.
Severity
8.3 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/shopware/shopware/security/adv… | x_refsource_CONFIRM |
| https://github.com/shopware/core/commit/04183e0c0… | x_refsource_MISC |
| https://github.com/shopware/core/commit/a784aa1ce… | x_refsource_MISC |
| https://github.com/shopware/shopware/commit/8504b… | x_refsource_MISC |
| https://github.com/shopware/shopware/commit/e4342… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "shopware",
"vendor": "shopware",
"versions": [
{
"lessThanOrEqual": "6.5.8.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.6.5.0",
"status": "affected",
"version": "6.6.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42356",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T15:51:49.931045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T15:55:33.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "shopware",
"vendor": "shopware",
"versions": [
{
"status": "affected",
"version": "\u003c= 6.5.8.12"
},
{
"status": "affected",
"version": "\u003e= 6.6.0.0, \u003c= 6.6.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it\u0027s possible to call from Twig any statically callable PHP function/method. It\u0027s not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T14:52:53.604Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj"
},
{
"name": "https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038"
},
{
"name": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"
},
{
"name": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"
},
{
"name": "https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e"
}
],
"source": {
"advisory": "GHSA-35jp-8cgg-p4wj",
"discovery": "UNKNOWN"
},
"title": "Shopware vulnerable to Server Side Template Injection in Twig using Context functions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42356",
"datePublished": "2024-08-08T14:52:53.604Z",
"dateReserved": "2024-07-30T14:01:33.922Z",
"dateUpdated": "2024-08-09T15:55:33.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42355 (GCVE-0-2024-42355)
Vulnerability from cvelistv5 – Published: 2024-08-08 14:49 – Updated: 2024-08-08 15:32
VLAI
EPSS
VEX
Title
Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
Summary
Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/shopware/shopware/security/adv… | x_refsource_CONFIRM |
| https://github.com/shopware/core/commit/a784aa1ce… | x_refsource_MISC |
| https://github.com/shopware/core/commit/d35ee2eda… | x_refsource_MISC |
| https://github.com/shopware/shopware/commit/445c6… | x_refsource_MISC |
| https://github.com/shopware/shopware/commit/8504b… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "shopware",
"vendor": "shopware",
"versions": [
{
"lessThan": "6.5.8.13",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "6.6.5.1",
"status": "affected",
"version": "6.6.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T15:26:25.050210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T15:32:50.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "shopware",
"vendor": "shopware",
"versions": [
{
"status": "affected",
"version": "\u003c= 6.5.8.12"
},
{
"status": "affected",
"version": "\u003e= 6.6.0.0, \u003c= 6.6.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T14:49:38.492Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp"
},
{
"name": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"
},
{
"name": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2"
},
{
"name": "https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da"
},
{
"name": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"
}
],
"source": {
"advisory": "GHSA-27wp-jvhw-v4xp",
"discovery": "UNKNOWN"
},
"title": "Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42355",
"datePublished": "2024-08-08T14:49:38.492Z",
"dateReserved": "2024-07-30T14:01:33.922Z",
"dateUpdated": "2024-08-08T15:32:50.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41950 (GCVE-0-2024-41950)
Vulnerability from cvelistv5 – Published: 2024-07-31 15:50 – Updated: 2024-07-31 16:20
VLAI
EPSS
VEX
Title
Insecure Jinja2 templates rendered in Haystack Components can lead to RCE
Summary
Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/deepset-ai/haystack/security/a… | x_refsource_CONFIRM |
| https://github.com/deepset-ai/haystack/pull/8095 | x_refsource_MISC |
| https://github.com/deepset-ai/haystack/pull/8096 | x_refsource_MISC |
| https://github.com/deepset-ai/haystack/commit/3fe… | x_refsource_MISC |
| https://github.com/deepset-ai/haystack/commit/6c2… | x_refsource_MISC |
| https://github.com/deepset-ai/haystack/releases/t… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| deepset-ai | haystack |
Affected:
< 2.3.1
|
|
| deepset | haystack |
Affected:
0 , < 2.3.1
(custom)
cpe:2.3:a:deepset:haystack:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:deepset:haystack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "haystack",
"vendor": "deepset",
"versions": [
{
"lessThan": "2.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T16:19:06.696483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T16:20:20.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "haystack",
"vendor": "deepset-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T15:50:59.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677"
},
{
"name": "https://github.com/deepset-ai/haystack/pull/8095",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/deepset-ai/haystack/pull/8095"
},
{
"name": "https://github.com/deepset-ai/haystack/pull/8096",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/deepset-ai/haystack/pull/8096"
},
{
"name": "https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0"
},
{
"name": "https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e"
},
{
"name": "https://github.com/deepset-ai/haystack/releases/tag/v2.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/deepset-ai/haystack/releases/tag/v2.3.1"
}
],
"source": {
"advisory": "GHSA-hx9v-6r9f-w677",
"discovery": "UNKNOWN"
},
"title": "Insecure Jinja2 templates rendered in Haystack Components can lead to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41950",
"datePublished": "2024-07-31T15:50:59.837Z",
"dateReserved": "2024-07-24T16:51:40.949Z",
"dateUpdated": "2024-07-31T16:20:20.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39766 (GCVE-0-2024-39766)
Vulnerability from cvelistv5 – Published: 2024-11-13 21:12 – Updated: 2024-11-14 19:36
VLAI
EPSS
VEX
Summary
Improper neutralization of special elements used in SQL command in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- escalation of privilege
- CWE-1336 - Improper neutralization of special elements used in SQL command
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Intel(R) Neural Compressor software |
Affected:
before version v3.0
|
|
| intel | neural_compressor_software |
Affected:
0 , < 3.0
(custom)
cpe:2.3:a:intel:neural_compressor_software:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:intel:neural_compressor_software:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "neural_compressor_software",
"vendor": "intel",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T15:10:33.965481Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T19:36:18.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Intel(R) Neural Compressor software",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "before version v3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in SQL command in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of privilege via local access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "escalation of privilege",
"lang": "en"
},
{
"cweId": "CWE-1336",
"description": "Improper neutralization of special elements used in SQL command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T21:12:08.831Z",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01219.html",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01219.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2024-39766",
"datePublished": "2024-11-13T21:12:08.831Z",
"dateReserved": "2024-07-12T03:00:14.027Z",
"dateUpdated": "2024-11-14T19:36:18.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38363 (GCVE-0-2024-38363)
Vulnerability from cvelistv5 – Published: 2024-07-09 14:10 – Updated: 2024-08-02 04:04
VLAI
EPSS
VEX
Title
Remote Code Execution (RCE) via Server Side Template Injection (SSTI) in Airbyte
Summary
Airbyte is a data integration platform for ELT pipelines. Airbyte connection builder docker image is vulnerable to RCE via SSTI which allows an authenticated remote attacker to execute arbitrary code on the server as the web server user. The connection builder is used to create and test new connectors. Sensitive information, such as credentials, could be exposed if a user tested a new connector on a compromised instance. The connection builder does not have access to any data processes. This vulnerability is fixed in 0.62.2.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/airbytehq/airbyte/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:airbyte:airbytehq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "airbytehq",
"vendor": "airbyte",
"versions": [
{
"lessThan": "0.62.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38363",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T14:29:59.326680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T14:32:40.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:25.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "airbyte",
"vendor": "airbytehq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.62.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Airbyte is a data integration platform for ELT pipelines. Airbyte connection builder docker image is vulnerable to RCE via SSTI which allows an authenticated remote attacker to execute arbitrary code on the server as the web server user. The connection builder is used to create and test new connectors. Sensitive information, such as credentials, could be exposed if a user tested a new connector on a compromised instance. The connection builder does not have access to any data processes. This vulnerability is fixed in 0.62.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T14:10:47.792Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq"
}
],
"source": {
"advisory": "GHSA-4j3c-fgvx-xgqq",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) via Server Side Template Injection (SSTI) in Airbyte"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38363",
"datePublished": "2024-07-09T14:10:47.792Z",
"dateReserved": "2024-06-14T14:16:16.465Z",
"dateUpdated": "2024-08-02T04:04:25.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37301 (GCVE-0-2024-37301)
Vulnerability from cvelistv5 – Published: 2024-06-11 18:34 – Updated: 2026-02-04 19:40
VLAI
EPSS
VEX
Title
document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection
Summary
Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/adfinis/document-merge-service… | x_refsource_CONFIRM |
| https://github.com/adfinis/document-merge-service… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| adfinis | document-merge-service |
Affected:
< 6.5.2
|
|
| adfinis | document_merge_service |
Affected:
0 , ≤ 6.5.1
(custom)
cpe:2.3:a:adfinis:document_merge_service:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:adfinis:document_merge_service:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "document_merge_service",
"vendor": "adfinis",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37301",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T20:18:28.016202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T20:21:20.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.118Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6"
},
{
"name": "https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "document-merge-service",
"vendor": "adfinis",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:40:11.164Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6"
},
{
"name": "https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074"
}
],
"source": {
"advisory": "GHSA-v5gf-r78h-55q6",
"discovery": "UNKNOWN"
},
"title": "document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37301",
"datePublished": "2024-06-11T18:34:38.374Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2026-02-04T19:40:11.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35191 (GCVE-0-2024-35191)
Vulnerability from cvelistv5 – Published: 2024-05-20 20:26 – Updated: 2024-08-02 03:07
VLAI
EPSS
VEX
Title
verbb/formie Server-Side Template Injection for variable-enabled settings
Summary
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/verbb/formie/security/advisori… | x_refsource_CONFIRM |
| https://github.com/verbb/formie/commit/90296edf7e… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:verbb:formie:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "formie",
"vendor": "verbb",
"versions": [
{
"lessThan": "2.1.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T14:44:43.052581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:18:34.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5"
},
{
"name": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "formie",
"vendor": "verbb",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form\u0027s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-20T20:26:24.492Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5"
},
{
"name": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420"
}
],
"source": {
"advisory": "GHSA-v45m-hxqp-fwf5",
"discovery": "UNKNOWN"
},
"title": "verbb/formie Server-Side Template Injection for variable-enabled settings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35191",
"datePublished": "2024-05-20T20:26:24.492Z",
"dateReserved": "2024-05-10T14:24:24.341Z",
"dateUpdated": "2024-08-02T03:07:46.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34710 (GCVE-0-2024-34710)
Vulnerability from cvelistv5 – Published: 2024-05-20 21:59 – Updated: 2024-08-02 02:59
VLAI
EPSS
VEX
Title
Wiki.js Stored XSS through Client Side Template Injection
Summary
Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection of a invalid HTML tag with a template injection payload on the next line. This vulnerability is fixed in 2.5.303.
Severity
7.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/requarks/wiki/security/advisor… | x_refsource_CONFIRM |
| https://github.com/requarks/wiki/commit/1238d614e… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:requarks:wiki.js:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wiki.js",
"vendor": "requarks",
"versions": [
{
"lessThanOrEqual": "2.5.302",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34710",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T14:08:35.033091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:10:38.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf"
},
{
"name": "https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wiki",
"vendor": "requarks",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.5.302"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection of a invalid HTML tag with a template injection payload on the next line. This vulnerability is fixed in 2.5.303.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-20T21:59:16.606Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf"
},
{
"name": "https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac"
}
],
"source": {
"advisory": "GHSA-xjcj-p2qv-q3rf",
"discovery": "UNKNOWN"
},
"title": "Wiki.js Stored XSS through Client Side Template Injection "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34710",
"datePublished": "2024-05-20T21:59:16.606Z",
"dateReserved": "2024-05-07T13:53:00.133Z",
"dateUpdated": "2024-08-02T02:59:22.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Architecture and Design
Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
Mitigation
Implementation
Use the template engine's sandbox or restricted mode, if available.
No CAPEC attack patterns related to this CWE.