Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhqbTktNTc2cS0zOTlw
Remote Code Execution in esigate-core
esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. This attack appear to be exploitable via Use of another weakness in backend application to reflect ESI directives. This vulnerability appears to have been fixed in 5.3.
Permalink: https://github.com/advisories/GHSA-hjm9-576q-399pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhqbTktNTc2cS0zOTlw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-hjm9-576q-399p, CVE-2018-1000854
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000854
- https://github.com/esigate/esigate/issues/209
- https://github.com/advisories/GHSA-hjm9-576q-399p
Blast Radius: 10.6
Affected Packages
maven:org.esigate:esigate-core
Dependent packages: 11Dependent repositories: 12
Downloads:
Affected Version Ranges: < 5.3
Fixed in: 5.3
All affected versions: 3.4.1, 4.2.1
All unaffected versions: