RCE by Server Side Template Injection in microweber/microweber

Valid

Reported on

Feb 9th 2023


Description

Hi, During my testing, I discovered that it is possible to inject code into the system through the "first name" field.

This vulnerability allows for server-side template injection, which can lead to arbitrary code execution. The impact of this vulnerability is potentially significant and should be addressed as soon as possible.

I ran the {{system('id')}} proving the code execution on the server.

Proof of Concept

Poc:

Alt Text

Impact

Remote code execution

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Peter Ivanov modified the Severity from Medium (6.3) to Medium (6.1) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 3 months ago
Dan Barros has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.3 with commit 93a906 3 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Peter Ivanov published this vulnerability a month ago
Dan Barros
a month ago

Researcher


Hi @maintainer , could I receive the CVE for the find ?

Dan Barros
a month ago

Researcher


Hi @admin @maintainer, I wonder if I can get a CVE for this vulnerability?

to join this conversation