Server Side Template Injection in alfio-event/alf.io

Valid

Reported on

Mar 5th 2023

Description

alf-event is vulnerable to Server Side Template Injection via angular

Proof of Concept

VIDEO: https://drive.google.com/file/d/13iLRNXjY75AoyvegOdu8W-FTPRBfQQVR/view?usp=sharing

With an authenticated user, access the admin panel. Create a organization and then Go to users and create new user having username {{ 7*7 }} in that organization Now login with this username and you can see "Logged in as 49" https://drive.google.com/file/d/1fEyyWBjQ2qOwxyFpt-exnuSxgOZ7_WxC/view?usp=share_link

###Payload

{{ 7*7 }}

Impact

The impact of server-side template injection vulnerabilities is generally critical, resulting in remote code execution by taking full control of the back-end server. Even without the code execution, the attacker may be able to read sensitive data on the server.

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 3 months ago
Yelprofessor modified the report
3 months ago
Yelprofessor modified the report
3 months ago
Sylvain Jermini gave praise 3 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Sylvain Jermini validated this vulnerability 3 months ago

We confirm it's a valid issue: to be noted, it would require an admin to create a user with the specific name, which would be quite funny :)

Yelprofessor has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yelprofessor
2 months ago

Researcher

Fix update?

Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit 94e292 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Sylvain Jermini published this vulnerability a month ago
to join this conversation