CVE-2022-25813

HIGH Year: 2022
CVSS v3 Score
7.5
High
Weakness Type
CWE-1336
View all →

Vulnerability Description

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.

Related Vulnerabilities

CVE-2024-41950

HIGH
CVSS:7.5(High)

Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipeline...

CWE-13362024

CVE-2021-39128

HIGH
CVSS:7.2(High)

Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-sid...

CWE-13362021

CVE-2022-47896

HIGH
CVSS:7.8(High)

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.

CWE-13362022

CVE-2023-29297

HIGH
CVSS:7.2(High)

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability tha...

CWE-13362023

CVE-2023-46245

HIGH
CVSS:7.2(High)

Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The ...

CWE-13362023

CVE-2023-5764

HIGH
CVSS:7.8(High)

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use ...

CWE-13362023