Hi, During my testing, I discovered that it is possible to inject code into the system through the “first name” field.
This vulnerability allows for server-side template injection, which can lead to arbitrary code execution. The impact of this vulnerability is potentially significant and should be addressed as soon as possible.
I ran the {{system(‘id’)}} proving the code execution on the server.
Poc: