-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| bagisto/bagisto | composer | <= 2.3.7 | 2.3.8 |
Miggo AIRoot Cause AnalysisThe vulnerability is a Server-Side Template Injection (SSTI) in Bagisto's product description field. The root cause is the lack of input sanitization before the user-provided description is processed by Laravel's Blade templating engine. An attacker with privileges to create or edit products could inject Blade template code into the description, leading to arbitrary code execution on the server.
The investigation of the patch commit 8076c708498a0187bc952d5f5f705e0cb1919682 confirms this. The fix involves several key changes:
stevebauman/purify package was added as a dependency to provide robust HTML sanitization.clean_content(), was introduced in packages/Webkul/Core/src/Http/helpers.php. This function first uses Purify to clean the HTML and then uses preg_replace to strip out any remaining Blade and PHP syntax, effectively neutralizing any template injection attempts.ProductForm request class (packages/Webkul/Admin/src/Http/Requests/ProductForm.php). A passedValidation() method was added, which is automatically called by Laravel after validation succeeds. This method identifies any text area fields with WYSIWYG enabled (like the product description) and applies the clean_content() function to them before they are passed to the controller.ProductController, the update method was changed from using the raw request()->all() to using the form request's data via $request->all(). This change is critical because it ensures the sanitized data from the ProductForm is used, rather than the raw, potentially malicious, input.Based on this, the primary vulnerable functions are the controller methods responsible for handling product creation and updates, as they are the entry points for the malicious data:
Webkul\Admin\Http\Controllers\Catalog\ProductController::store: Handles the creation of new products.Webkul\Admin\Http\Controllers\Catalog\ProductController::update: Handles the updating of existing products.Before the patch, these methods would process the raw, unsanitized input from the product form, allowing the SSTI payload to be saved to the database and later executed by the Blade engine during rendering.
Ongoing coverage of React2Shell