Server-Side Template Injection in Craft CMS Affects Web Applications
CVE-2018-20465

7.2HIGH

Key Information:

Vendor: Craftcms
Status: Craft Cms
Vendor: CVE Published:; 25 December 2018

What is CVE-2018-20465?

Craft CMS version 3.0.34 is susceptible to a server-side template injection vulnerability that allows authenticated administrators to inadvertently expose sensitive information. By manipulating server-side templates, attackers can extract critical database credentials, including the database username and password, which are displayed in the URI of the application settings. This vulnerability underscores the importance of securing template rendering environments to prevent unauthorized data disclosure.

References

https://github.com/phuctam/Server-Side-Template-Injection...

x_refsource_MISC

https://github.com/craftcms/cms/blob/master/CHANGELOG-v3.md

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 25, 2018
Vulnerability Reserved
Dec 25, 2018

Craftcms

What is CVE-2018-20465?

References

CVSS V3.1

Timeline