Miggo Logo
Miggo Vulnerability Database
CVE-2020-28246

CVE-2020-28246:
Server-Side Template Injection in formio

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28246
GHSA ID
GHSA-52vj-mr2j-f8jh
EPSS Score
0.87015%
CWE
CWE-74
Published
6/3/2022
Updated
5/3/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
formionpm<= 2.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information describes the vulnerability (SSTI in email template deletion) but lacks concrete code examples, commit diffs, or file paths to identify specific vulnerable functions. The Form.io GitHub repositories (formio/formio and enterprise-release) do not contain visible code changes or documentation pointing to affected functions. While the vulnerability likely exists in email template handling logic (potentially in template rendering/processing functions during deletion), insufficient technical details prevent high-confidence identification of exact functions. Vendor disputes and removal of the email templating service further complicate analysis without access to historical code versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* S*rv*r-Si** T*mpl*t* Inj**tion (SSTI) w*s *is*ov*r** in *orm.io *.*.*. T*is l***s to R*mot* *o** *x**ution *urin* **l*tion o* t** ****ult *m*il t*mpl*t* URL. NOT*: t** *m*il t*mpl*tin* s*rvi** w*s r*mov** **t*r ****. ***ition*lly, t** v*n*or *isput

Reasoning

T** provi*** in*orm*tion **s*ri**s t** vuln*r**ility (SSTI in *m*il t*mpl*t* **l*tion) *ut l**ks *on*r*t* *o** *x*mpl*s, *ommit *i**s, or *il* p*t*s to i**nti*y sp**i*i* vuln*r**l* *un*tions. T** *orm.io *it*u* r*positori*s (`*ormio/*ormio` *n* `*nt*