How severe is CVE-2024-25624?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.8 out of 10.

What type of vulnerability is CVE-2024-25624?

This is classified as CWE-1336, which is a common weakness in software security.

CVE-2024-25624 - MEDIUM Severity | CVSS 6.8

Vulnerability Description

Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. Due to an improper setup of Jinja2 environment, reports generation in `iris-web` is prone to a Server Side Template Injection (SSTI). Successful exploitation of the vulnerability can lead to an arbitrary Remote Code Execution. An authenticated administrator has to upload a crafted report template containing the payload. Upon generation of a report based on the weaponized report, any user can trigger the vulnerability. The vulnerability is patched in IRIS v2.4.6. No workaround is available. It is recommended to update as soon as possible. Until patching, review the report templates and keep the administrative privileges that include the upload of report templates limited to dedicated users.

Related Vulnerabilities

CVE-2023-47542

MEDIUM

CVSS:6.7(Medium)

A improper neutralization of special elements used in a template engine [CWE-1336] in FortiManager versions 7.4.1 and below, versions 7.2.4 and below, and 7.0.10 and below allows attacker to execute u...

CWE-13362023

CVE-2024-39766

HIGH

CVSS:7.0(High)

Improper neutralization of special elements used in SQL command in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of priv...

CWE-13362024

CVE-2022-0896

HIGH

CVSS:7.1(High)

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.

CWE-13362022

CVE-2023-41047

MEDIUM

CVSS:6.5(Medium)

OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that wi...

CWE-13362023

CVE-2024-34710

HIGH

CVSS:7.1(High)

Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute...

CWE-13362024

CVE-2024-55652

MEDIUM

CVSS:6.5(Medium)

PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the ...

CWE-13362024