Skip to content

StrongShop v1.0 has a vulnerability for Server-Side Template Injection (SSTI) #47

Open
@Hebing123

Description

@Hebing123

Summary

StrongShop v1.0 has a vulnerability for Server-Side Template Injection (SSTI).The vulnerability allows attackers to inject malicious code into templates executed on the server by the Laytpl engine.

Details

The vulnerability occurs in: resources/views/admin/shippingOptionConfig/index.blade.php.
image

Proof of Concept (POC)

http://192.168.0.10:1019/admin/shippingOptionConfig/index?shipping_option_id={{25*25}}
image

Impact

An attacker with administrator can exploit the server-side Template Injection (SSTI) vulnerability to attack a Server.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions