Miggo Logo
Miggo Vulnerability Database
CVE-2021-23803

CVE-2021-23803: Incorrect Authorization in latte/latte

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-23803
GHSA ID
GHSA-6pj2-5fqq-xvjc
EPSS Score
0.60253%
CWE
CWE-863
Published
1/6/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
latte/lattecomposer< 2.10.62.10.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from inadequate input sanitization in the template parser. The Parser::parse method in latte/latte versions <2.10.6 did not remove control characters from the input. Attackers could exploit this by injecting control characters (e.g., system\x00) into function names. The SecurityPolicy's allowFunctions check would see the malformed function name (system\x00), which wasn't explicitly allowed, but the execution environment would interpret it as 'system' (stripping control characters at runtime), bypassing authorization. The GitHub patch explicitly adds control character removal in Parser.php, confirming this root cause. The PoC demonstrates this bypass using control characters to execute unauthorized functions like system().

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** l*tt*/l*tt* ***or* *.**.*. T**r* is * w*y to *yp*ss *llow*un*tions t**t will *****t t** s**urity o* t** *ppli**tion. W**n t** t*mpl*t* is s*t to *llow/*is*llow t** us* o* **rt*in *un*tions, ***in* *ontrol ***r**t*rs (x**-x**)

Reasoning

T** vuln*r**ility st*ms *rom in***qu*t* input s*nitiz*tion in t** t*mpl*t* p*rs*r. T** P*rs*r::p*rs* m*t*o* in l*tt*/l*tt* v*rsions <*.**.* *i* not r*mov* *ontrol ***r**t*rs *rom t** input. *tt**k*rs *oul* *xploit t*is *y inj**tin* *ontrol ***r**t*rs