Server Side Template Injection in alfio-event/


Reported on

Mar 5th 2023


alf-event is vulnerable to Server Side Template Injection via angular

Proof of Concept


With an authenticated user, access the admin panel. Create a organization and then Go to users and create new user having username {{ 7*7 }} in that organization Now login with this username and you can see "Logged in as 49"


{{ 7*7 }}


The impact of server-side template injection vulnerabilities is generally critical, resulting in remote code execution by taking full control of the back-end server. Even without the code execution, the attacker may be able to read sensitive data on the server.

We are processing your report and will contact the alfio-event/ team within 24 hours. 3 months ago
Yelprofessor modified the report
3 months ago
Yelprofessor modified the report
3 months ago
Sylvain Jermini gave praise 3 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Sylvain Jermini validated this vulnerability 3 months ago

We confirm it's a valid issue: to be noted, it would require an admin to create a user with the specific name, which would be quite funny :)

Yelprofessor has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
2 months ago


Fix update?

Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit 94e292 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Sylvain Jermini published this vulnerability a month ago
to join this conversation