RCE vulnerability in Pimcore/Mail & Dynamic Text Layout
Description
Published by the National Vulnerability Database
Oct 27, 2022
Published to the GitHub Advisory Database
Oct 29, 2022
Reviewed
Oct 29, 2022
Last updated
Jan 30, 2023
Impact
The user controlled twig templates rendering in
Pimcore/Mail
&ClassDefinition\Layout\Text
is vulnerable to server-side template Injection RCE.Patches
Update to version 10.5.9 or apply this patch manually https://github.com/pimcore/pimcore/pull/13347.patch
Workarounds
Apply https://github.com/pimcore/pimcore/pull/13347.patch manually.
References
Credits: @nth347 from Viettel Cyber Security
References