Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
ssti vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2023-46816
An issue exists in SugarCRM 12 prior to 12.0.4 and 13 prior to 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing inpu...
Sugarcrm Sugarcrm 13.0.0
Sugarcrm Sugarcrm 13.0.1
Sugarcrm Sugarcrm
NA
CVE-2023-38286
Thymeleaf up to and including 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) up to and including 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot...
Thymeleaf Thymeleaf
Codecentric Spring Boot Admin
1 Github repository
NA
CVE-2023-49964
An issue exists in Hyland Alfresco Community Edition up to and including 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restricti...
Hyland Alfresco Content Services
1 Github repository
NA
CVE-2023-22621
Strapi up to and including 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an...
Strapi Strapi
3 Github repositories
NA
CVE-2023-37897
Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due t...
Getgrav Grav 1.7.42.1
Getgrav Grav 1.7.42
NA
CVE-2023-30179
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because...
Craftcms Craft Cms 3.7.59
NA
CVE-2023-46245
Kimai is a web-based multi-user time-tracking application. Versions before 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, ...
Kimai Kimai
NA
CVE-2024-29686
Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote malicious user to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a tru...
10
CVSSv2
CVE-2022-22954
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
Vmware Identity Manager 3.3.3
Vmware Vrealize Automation 7.6
Vmware Identity Manager 3.3.4
Vmware Identity Manager 3.3.5
Vmware Vrealize Automation
Vmware Identity Manager 3.3.6
Vmware Workspace One Access 20.10.0.1
Vmware Workspace One Access 20.10.0.0
Vmware Workspace One Access 21.08.0.1
Vmware Workspace One Access 21.08.0.0
Vmware Vrealize Suite Lifecycle Manager
Vmware Cloud Foundation
1 Metasploit module
25 Github repositories
3 Articles
NA
CVE-2024-34060
IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the fi...
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49223
CVE-2024-0044
information disclosure
CVE-2024-35753
HTML injection
CVE-2024-21306
CVE-2024-35733
SQL injection
CVE-2024-35732
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
NEXT »