Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-1877: RCE by Server Side Template Injection in microweber

Command Injection in GitHub repository microweber/microweber prior to 1.3.3.

CVE
Open in Source
#vulnerability#web#git#rce

Valid

Description

Hi, During my testing, I discovered that it is possible to inject code into the system through the “first name” field.

This vulnerability allows for server-side template injection, which can lead to arbitrary code execution. The impact of this vulnerability is potentially significant and should be addressed as soon as possible.

I ran the {{system(‘id’)}} proving the code execution on the server.

Proof of Concept

Poc:

Impact

Remote code execution

Related news

GHSA-582p-2fpg-x226: Microweber vulnerable to command injection

microweber/microweber prior to 1.3.3 is vulnerable to command injection in the "first name" field. This allows for server-side template injection, which can lead to arbitrary code execution.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE