Miggo Logo

CVE-2018-20465: Craft CMS Vulnerable to Server-Side Template Injection

7.2

CVSS Score
3.0

Basic Information

EPSS Score
0.70265%
Published
5/13/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
craftcms/cmscomposer<= 3.0.34

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized Twig template evaluation in the URI Format field. Craft CMS's View::renderString() is the primary Twig rendering function that would execute user-provided template code (like {% ... %} blocks). The Sites::saveSite() method is implicated because it processes the vulnerable URI Format input without neutralizing template syntax. The high confidence in View::renderString() comes from its direct role in template evaluation, while Sites::saveSite() has medium confidence due to inferred input handling without explicit code evidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r**t *MS t*rou** *.*.** *llows r*mot* *ut**nti**t** **ministr*tors to r*** s*nsitiv* in*orm*tion vi* s*rv*r-si** t*mpl*t* inj**tion, *s **monstr*t** *y * `{%` strin* *or `*r**t.*pp.*on*i*.**.us*r` *n* `*r**t.*pp.*on*i*.**.p*sswor*` in t** URI *orm*t

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** Twi* t*mpl*t* *v*lu*tion in t** URI *orm*t *i*l*. *r**t *MS's `Vi*w::r*n**rStrin*()` is t** prim*ry Twi* r*n**rin* *un*tion t**t woul* *x**ut* us*r-provi*** t*mpl*t* *o** (lik* {% ... %} *lo*ks). T** `Sit*s::s