CVE-2023-29689

2023-08-0415:15:10

Google

osv.dev

pyrocms

3.9

remote code execution

ssti flaw

vulnerability

server-side template injection

malicious attacker

arbitrary code

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

78.3%

JSON

PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system.

CPENameOperatorVersion
pyrocmseq3.6.3
pyrocmseq3.4.10
pyrocmseq3.4.6
pyrocmseq3.0.0-rc1
pyrocmseq3.0.0-rc2
pyrocmseq3.3.7
pyrocmseq3.0.0
pyrocmseq3.4.7
pyrocmseq3.0.0-beta1
pyrocmseq3.1.2

Name	Operator	Version
pyrocms	eq	3.6.3
pyrocms	eq	3.4.10
pyrocms	eq	3.4.6
pyrocms	eq	3.0.0-rc1
pyrocms	eq	3.0.0-rc2
pyrocms	eq	3.3.7
pyrocms	eq	3.0.0
pyrocms	eq	3.4.7
pyrocms	eq	3.0.0-beta1
pyrocms	eq	3.1.2