CVE-2018-1000854

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-1000854

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1000854.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2018-1000854

Aliases

GHSA-hjm9-576q-399p

Published

2018-12-20T17:29:00Z

Modified

2024-10-12T03:02:23.347492Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. This attack appear to be exploitable via Use of another weakness in backend application to reflect ESI directives. This vulnerability appears to have been fixed in 5.3.

References

https://github.com/esigate/esigate/issues/209

Affected packages

Git / github.com/esigate/esigate

Affected ranges

Type: GIT
Repo: https://github.com/esigate/esigate
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

3bb8492da824156aef01e4639e3b10640be4170a

Affected versions

esigate-5.*

esigate-5.0

esigate-5.0-beta-1

esigate-5.0-beta-2

esigate-5.0-beta-3

esigate-5.1

esigate-5.2