Listen to this Post
The CVE-2024-XXXX vulnerability in Bagisto is a Server-Side Template Injection (SSTI) flaw. It originates from the application’s failure to properly sanitize user-supplied input within the product description field. This input is directly processed by the server-side Laravel Blade templating engine when rendering views. An attacker can submit a crafted product description containing a malicious Blade template expression. Since the input is not escaped, the expression breaks out of its intended string context and is delivered to the templating engine for evaluation. The engine then executes the embedded expression on the server. This allows for the injection of arbitrary PHP code, which the server executes, leading to full Remote Code Execution (RCE) on the underlying host. The attack is triggered simply by creating or editing a product and viewing it, where the evaluated template output is displayed.
Platform: Bagisto
Version: v2.3.7
Vulnerability : SSTI -> RCE
Severity: Critical
date: 2024-10-17
Prediction: Patch by 2024-11-15
What Undercode Say:
curl -X POST 'http://target.com/admin/products' -d 'description={{77}}'
// Example Payload
{{ file_get_contents('/etc/passwd') }}
{{ phpinfo() }}
\Blade::render($userInput);
How Exploit:
1. Attacker gains product editor access.
- Creates product with malicious Blade syntax in description.
3. Server evaluates the template upon page view.
4. Arbitrary code executes, granting RCE.
Protection from this CVE:
Sanitize all user inputs.
Escape Blade expressions properly.
Implement strict content security policies.
Update to patched version upon release.
Impact:
Full system compromise.
Sensitive data exfiltration.
Application backdoor installation.
Privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
