VYPR

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

BaseIncomplete

Description

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (129)

page 7 of 7
  • CVE-2023-34448Jun 14, 2023
    risk 0.00cvss epss 0.05

    Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that…

  • CVE-2023-34253Jun 14, 2023
    risk 0.00cvss epss 0.02

    Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using…

  • CVE-2023-34252Jun 14, 2023
    risk 0.00cvss epss 0.02

    Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However,…

  • CVE-2023-2017Apr 17, 2023
    risk 0.00cvss epss 0.02

    Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the…

  • CVE-2021-4315Jan 28, 2023
    risk 0.00cvss epss 0.01

    A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template…

  • CVE-2022-0896Mar 9, 2022
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.

  • CVE-2021-46703Mar 6, 2022
    risk 0.00cvss epss 0.02

    In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents). NOTE: This vulnerability only affects products that are no longer…

  • CVE-2022-0323Jan 21, 2022
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements Used in a Template Engine in Packagist mustache/mustache prior to 2.14.1.

  • CVE-2018-20465Dec 25, 2018
    risk 0.00cvss epss 0.01

    Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes…