Total
28 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2259 | 1 Alf | 1 Alf | 2023-05-03 | N/A | 7.2 HIGH |
| Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||||
| CVE-2023-2017 | 1 Shopware | 1 Shopware | 2023-04-28 | N/A | 8.8 HIGH |
| Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731. | |||||
| CVE-2022-47896 | 1 Jetbrains | 1 Intellij Idea | 2022-12-29 | N/A | 7.8 HIGH |
| In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. | |||||
| CVE-2022-25813 | 1 Apache | 1 Ofbiz | 2022-09-07 | N/A | 7.5 HIGH |
| In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible. | |||||
| CVE-2021-39128 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-08-01 | 6.5 MEDIUM | 7.2 HIGH |
| Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1. | |||||
| CVE-2022-27662 | 1 F5 | 1 Traffix Signaling Delivery Controller | 2022-05-13 | 3.5 LOW | 4.8 MEDIUM |
| On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Template Injection vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute template language-specific instructions in the context of the server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2022-0944 | 1 Sqlpad | 1 Sqlpad | 2022-03-21 | 6.5 MEDIUM | 7.2 HIGH |
| Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1. | |||||
| CVE-2022-0896 | 1 Microweber | 1 Microweber | 2022-03-11 | 6.8 MEDIUM | 8.8 HIGH |
| Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3. | |||||