Miggo Logo

CVE-2022-21648: Sandbox bypass in Latte templates

8.2

CVSS Score
3.1

Basic Information

EPSS Score
0.53703%
Published
1/6/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
latte/lattecomposer>= 2.10.0, < 2.10.82.10.8
latte/lattecomposer>= 2.9.0, < 2.9.62.9.6
latte/lattecomposer>= 2.8.0, < 2.8.82.8.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows a security patch in PhpWriter.php that adds validation to block complex expressions (e.g., {$var}) in strings when the sandbox is enabled. The absence of this check in vulnerable versions allowed untrusted templates to execute arbitrary code. The tests added in the commit explicitly verify this scenario, confirming the function's role in the vulnerability. The CWE-79 classification and advisory descriptions further corroborate that improper input neutralization in template processing was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** pro*l*m *****ts us*rs w*o us* t** s*n**ox in L*tt* *n* t*mpl*t*s *rom untrust** sour**s. ### P*t***s S*n**ox *irst *pp**r** in L*tt* *.*.*. T** issu* is *ix** in t** v*rsions *.*.*, *.*.* *n* *.**.*. ### R***r*n**s T** issu*s w*r* *

Reasoning

T** *ommit *i** s*ows * s**urity p*t** in P*pWrit*r.p*p t**t ***s v*li**tion to *lo*k *ompl*x *xpr*ssions (*.*., `{$v*r}`) in strin*s w**n t** s*n**ox is *n**l**. T** **s*n** o* t*is ****k in vuln*r**l* v*rsions *llow** untrust** t*mpl*t*s to *x**ut*