Lucene search
K

MJML 4.6.2 Path Traversal

🗓️ 16 Jun 2020 00:00:00Reported by Julien AhrensType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 689 Views

MJML 4.6.2 Path Traversal RCE Security Advisory. Vulnerability in MJML's mj-include component allows path traversal and potential RCE attacks

Related
Code
ReporterTitlePublishedViews
Family
0day.today
MJML 4.6.2 Path Traversal Vulnerability
16 Jun 202000:00
zdt
GithubExploit
Exploit for Cross-site Scripting in Astaro Security_Gateway_Software
30 Apr 201915:15
githubexploit
CNVD
Mailjet MJML Path Traversal Vulnerability
18 Jun 202000:00
cnvd
CVE
CVE-2020-12827
17 Jun 202013:28
cve
Cvelist
CVE-2020-12827
17 Jun 202013:28
cvelist
EUVD
EUVD-2022-2384
3 Oct 202520:07
euvd
EUVD
EUVD-2025-203312
15 Dec 202500:30
euvd
Github Security Blog
MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827
15 Dec 202500:30
github
Github Security Blog
MJML vulnerable to path traversal
24 May 202217:20
github
NVD
CVE-2020-12827
17 Jun 202014:15
nvd
Rows per page
`RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: MJML  
Vendor URL: https://github.com/mjmlio/mjml/  
Type: Path Traversal [CWE-22]  
Date found: 2020-04-28  
Date published: 2020-06-14  
CVSSv3 Score: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L)  
CVE: CVE-2020-12827  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
MJML <= 4.6.2  
  
As a solution MJML disabled mj-include by default in MJML v4.6.3 by adding the  
"ignoreIncludes" directive, however, the component could still be explicitly  
enabled, making the application vulnerable again.  
  
  
4. INTRODUCTION  
===============  
MJML is a markup language created by Mailjet and designed to reduce the pain of  
coding a responsive email. Its semantic syntax makes it easy and straightforward  
while its rich standard components library fastens your development time and  
lightens your email codebase. MJML’s open-source engine takes care of  
translating the MJML you wrote into responsive HTML.  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
MJML offers a component called "mj-include" that allows other external MJML  
files to be included into the email template by using its "path" attribute.  
(see https://mjml.io/documentation/#mj-include).  
  
However MJML does not properly validate the value supplied to the "path"  
argument, allowing an attacker to traverse directories or even directly point to  
other system files outside of the web server's root directory.  
  
However since MJML expects the referenced file to be in the format of a MJML  
file, the attack scope is limited to:  
  
- Leaking the local server path by pointing to a non-existing MJML file, which  
throws an error containing the full path, i.e.:  
<mjml><mj-include path='test'/></mjml>  
  
- Enumerating local server files by using a true/false approach. Existing server  
files return an error, while non-existing do not:  
<mjml><mj-include path='/etc/passwd'/></mjml>  
  
- Partially reading local binary server files. Pointing path to binary files  
throws an error, but the error message does contain a portion of the referenced  
file. On this way it is possible to leak parts of i.e. compressed local log  
files:  
<mjml><mj-include path='/var/log/apt/history.log.1.gz'/></mjml>  
  
- Causing denial of service conditions on the application embedding MJML, by  
reading i.e. /dev/urandom:  
<mjml><mj-include path='/dev/urandom'/></mjml>  
  
  
6. RISK  
=======  
The vulnerability can be used by an unauthenticated attacker or authenticated  
attacker depending on how MJML is embedded to leak sensitive information about  
the server such as local server paths and contents of compressed/binary files  
or cause denial of service attacks against the application.  
  
  
7. SOLUTION  
===========  
Update MJML to version 4.6.3 and keep "ignoreIncludes" set to false.  
  
  
8. REPORT TIMELINE  
==================  
2020-04-28: Discovery of the vulnerability  
2020-04-30: Reported the vulnerability to maintainers of MJML  
2020-05-05: MJML pushes a fix disabling includes by default.  
2020-05-11: CVE requested from MITRE  
2020-05-13: MITRE assigns CVE-2020-12827  
2020-06-14: Public disclosure.  
  
  
9. REFERENCES  
=============  
https://github.com/mjmlio/mjml/commit/30e29ed2cdaec8684d60a6d12ea07b611c765a12  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation