-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
Miggo AIRoot Cause AnalysisThe vulnerability is a Server-Side Template Injection (SSTI) in the FoF Pretty Mail extension. The analysis of the vulnerability description and an unmerged patch on a forked repository indicates that the vulnerability lies in the BladeCompiler.php file. The compileString method in the FoF\PrettyMail\BladeCompiler class is responsible for compiling the email templates. This method is vulnerable because it does not properly sanitize the template before compilation, allowing an attacker with administrative privileges to inject malicious code into the email templates.
The FoF\PrettyMail\Mailer::render function is also identified as a vulnerable function as it is responsible for initiating the rendering of the email, which in turn calls the vulnerable compileString method. An unmerged patch, found in a fork of the original repository, addresses the vulnerability by replacing the BladeCompiler with a SandboxedBladeCompiler that overrides the compileString method to execute the template in a sandboxed environment. Although the tools failed to retrieve the file contents, the available information from the exploit database and the unmerged patch provides high confidence in the identified vulnerable functions.
FoF\PrettyMail\BladeCompiler::compileStringsrc/BladeCompiler.php
FoF\PrettyMail\Mailer::rendersrc/Mailer.php
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| fof/pretty-mail | composer | <= 1.1.2 |