CVE-2024-58303
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Flarum | FriendsofFlarum Pretty Mail | 1.1.2 | affected |
Weaknesses
- CWE-1336: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine (SSTI)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.exploit-db.com/exploits/51948
- https://flarum.org/
- https://github.com/FriendsOfFlarum/pretty-mail
- https://www.vulncheck.com/advisories/fof-pretty-mail-server-side-template-injection-via-email-template-settings
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.