VYPR
← All advisories
Critical severityNVD Advisory· Published Aug 4, 2023· Updated Oct 17, 2024

CVE-2023-29689

CVE-2023-29689

Description

PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pyrocms/pyrocmsPackagist
<= 3.9

Affected products

2

Patches

Vulnerability mechanics

Root cause

"The application allows unescaped template syntax within user-controlled fields, leading to server-side template injection."

Attack vector

An authenticated attacker with administrative privileges can exploit this vulnerability. The attacker needs access to the `/admin/users/roles/edit/1` endpoint. By manipulating the `description_en` field with template syntax, the attacker can inject commands that are then executed by the server via the `map('system')` filter [ref_id=1]. The output of the executed command is then displayed on the page.

Affected code

The vulnerability is present in PyroCMS version 3.9. The exploit targets the role editing functionality, specifically the `description_en` field, which is susceptible to Server-Side Template Injection (SSTI) [ref_id=1].

What the fix does

The patch is not available in the provided information. The advisory recommends updating to a version that addresses this vulnerability. The exploit description indicates that the vulnerability is present in PyroCMS version 3.9.

Preconditions

  • authThe attacker must have user credentials with administrative privileges, specifically access to the `/admin` section [ref_id=1].
  • inputThe attacker must be able to modify the 'Description' field for role ID 1.

Reproduction

1. Authenticate to the application with administrative credentials. 2. Navigate to the role editing section for the admin user (role ID 1). 3. In the `description_en` field, inject a payload such as `{{["id"]|map("system")|join}}`. 4. Save the changes and observe the output, which should display the result of the executed command (e.g., `id`) [ref_id=1].

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.