Server-Side Template Injection
Description
The application is vulnerable to Server-Side Template Injection (SSTI), which enables attackers to manipulate templates on the server side. This vulnerability arises when untrusted user input is directly used in server-side templates without adequate sanitization. Attackers can exploit this weakness to inject and execute arbitrary code in templates, potentially compromising the system's integrity and confidentiality.
Remediation
User-controlled data should always have special elements neutralized when used as part of constructing Expression Language statements. Consult the documentation for the template system in use on how properly neutralize user-controlled data.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
1336.1 | false | 1336 | Active | high |