CVE-2024-37301

2024-06-1119:16:07

CWE-1336

[email protected]

web.nvd.nist.gov

document merge service

api

vulnerability

template merge

server-side injection

remote code execution

full takeover

affected system

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.

Affected configurations

Vulners

Node

adfinisdocument_merge_serviceRange<6.5.2

CNA Affected

[
  {
    "vendor": "adfinis",
    "product": "document-merge-service",
    "versions": [
      {
        "version": "< 6.5.2",
        "status": "affected"
      }
    ]
  }
]