RCE by Server Side Template Injection in microweber/microweber
Valid
Reported on
Feb 9th 2023
Description
Hi, During my testing, I discovered that it is possible to inject code into the system through the "first name" field.
This vulnerability allows for server-side template injection, which can lead to arbitrary code execution. The impact of this vulnerability is potentially significant and should be addressed as soon as possible.
I ran the {{system('id')}} proving the code execution on the server.
Proof of Concept
Poc:

Impact
Remote code execution
We are processing your report and will contact the
microweber
team within 24 hours.
3 months ago
We have contacted a member of the
microweber
team and are waiting to hear back
3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The researcher's credibility has increased: +7
Peter Ivanov
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Mar 31st 2023
Hi @admin @maintainer, I wonder if I can get a CVE for this vulnerability?
to join this conversation