Summary

Acunetix 360 detected that this page is vulnerable to Server-Side Template Injection (SSTI) attacks.

Template engine systems can be placed at the View part of MVC based applications and are used to present dynamic data. Template systems have so called expressions.

SSTI occurs when user-supplied data is embedded inside a template and is evaluated as an expression by the template engine.

This is an important issue and should be addressed as soon as possible.

Impact

An attacker can inject data that can be evaluated as template engine expressions. This may trick a system to execute an arbitrary system command.

Remediation

Do not trust the data that users supply and don't add it to directly into the template. Instead, pass user controlled parameters to the template as template parameters.

Severity

Critical

Classification

PCI v3.2-6.5.1 CWE-74 HIPAA-164.306(a) 164.308(a) ISO27001-A.14.2.5 OWASP 2013-A1 OWASP 2017-A1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H