Miggo Logo

CVE-2021-40219: Code Injection in Bolt CMS

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.89261%
Published
4/12/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
bolt/corecomposer<= 4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the TemplateController's template() method which takes a user-supplied template name and passes it directly to Twig's render() function. The code comment explicitly warns this isn't routed by default due to security risks. Attackers with theme editing privileges can create malicious templates containing Twig code (like the PoC's {{[...]|filter('system')}} payload), which gets executed when the template is rendered. The lack of input sanitization and unsafe rendering of user-controlled template files creates the code injection vector. The provided exploit demonstrates this leads to RCE through Twig's template execution capabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*olt *MS <= *.* is vuln*r**l* to R*mot* *o** *x**ution. Uns*** t**m* r*n**rin* *llows *n *ut**nti**t** *tt**k*r to **it t**m* to inj**t s*rv*r-si** t*mpl*t* inj**tion t**t l***s to r*mot* *o** *x**ution.

Reasoning

T** vuln*r**ility st*ms *rom t** `T*mpl*t**ontroll*r`'s `t*mpl*t*()` m*t*o* w*i** t*k*s * us*r-suppli** t*mpl*t* n*m* *n* p*ss*s it *ir**tly to Twi*'s `r*n**r()` *un*tion. T** *o** *omm*nt *xpli*itly w*rns t*is isn't rout** *y ****ult *u* to s**urity