CVE-2020-28246

Vulnerability

A Server-Side Template Injection (SSTI) vulnerability was discovered in Form.io version 2.0.0 [1]. The flaw exists in the email templating service, specifically when the default Email template URL is deleted [1]. This allows injection of server-side template code that is executed on the server [1]. The vulnerable email templating service was removed after 2020 [1].

Exploitation

An attacker must be an administrator with access to the email template configuration [1]. The vulnerability is triggered during the deletion of the default Email template URL [1]. The vendor disputes the severity, claiming the feature is sandboxed and only executable by admins [1]. No further technical details about the attack vector are publicly available in the provided references.

Impact

Successful exploitation could lead to Remote Code Execution (RCE) on the server [1]. The impact is limited by the requirement of administrative privileges and the vendor's assertion that the execution is sandboxed [1]. The exact CIA outcome is not fully detailed in the available references.

Mitigation

Form.io has removed the email templating service after 2020, effectively eliminating this attack vector [1]. There is no mention of a specific patched version; the vulnerability only affects version 2.0.0 [1]. Users of that version should upgrade to a later release after 2020 or disable the email templating functionality. The vendor disputes the risk as sandboxed [1].