template-injection

3 articles
Sort: New Top Best
clear filter
bug-bounty622 facebook479 xss316 google174 microsoft120 rce102 apple72 csrf60 web355 account-takeover53 writeup51 exploit43 sqli41 dos36 ssrf34 cve33 cloudflare32 privilege-escalation29 defi28 malware27 node26 smart-contract-vulnerability25 idor25 subdomain-takeover24 clickjacking23 smart-contract23 ethereum23 access-control21 react21 vulnerability-disclosure21 reverse-engineering20 auth-bypass19 aws19 remote-code-execution18 lfi18 cloud17 docker17 cors17 oauth17 supply-chain17 race-condition17 info-disclosure16 browser14 authentication-bypass14 solidity14 phishing14 denial-of-service11 sql-injection11 delegatecall11 wordpress10
0
Handlebars Tempelate Injection and RCE
vulnerability

A researcher discovered a zero-day Server-Side Template Injection (SSTI) vulnerability in the Handlebars template engine used in Shopify's Return Magic app, achieving Remote Code Execution by exploiting Object.prototype methods and the Function constructor to bypass sandbox restrictions. The exploit leverages the 'with' helper and Object.prototype.defineProperty() to inject arbitrary code through email workflow templates.

template-injection server-side-template-injection remote-code-execution rce handlebars javascript nodejs sandbox-escape prototype-pollution object-prototype shopify vulnerability zero-day
Handlebars Shopify Return Magic HackerOne H1-514 Synack TrendMicro Matias
mahmoudsec.blogspot.com · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · details
0
RCE in Hubspot with EL injection in HubL
vulnerability

A researcher discovered remote code execution in HubSpot's template engine by exploiting expression language injection in HubL, using reflection to access javax.script.ScriptEngineManager and the Nashorn JavaScript engine to execute arbitrary code. The vulnerability arose from unsafe method calls allowed in the Jinjava-based template parser, which permitted access to Java reflection APIs despite blocking direct access to Runtime and System classes.

rce expression-language-injection template-injection el-injection java hubl jinjava bug-bounty nashorn script-engine-manager reflection unsafe-deserialization
HubSpot HubL Jinjava PortSwigger javax.script.ScriptEngineManager jdk.nashorn.api.scripting.NashornScriptEngine com.hubspot.content.hubl.context.TemplateContextRequest
betterhacker.com · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · details
0
Attacking helpdesk RCE chain on deskpro with bitdefender
vulnerability

Research demonstrating a complete RCE attack chain on DeskPro helpdesk software through multiple chained vulnerabilities: insufficient API access control (leaking JWT secrets and admin config), and insecure deserialization in the template editor. The exploit was demonstrated against Bitdefender's support center, achieving remote code execution from an unauthenticated user registration.

rce remote-code-execution helpdesk deskpro access-control insufficient-access-control api-vulnerability insecure-deserialization privilege-escalation jwt authentication-bypass template-injection twig php-deserialization pop-gadgets credential-exposure email-credentials ticket-system on-premise self-hosted
CVE-2020-11465 CVE-2020-11463 CVE-2020-11466 CVE-2020-11464 CVE-2020-11467 DeskPro Bitdefender osTicket Kayako PHP Live! Freelancer Inc Redforce Web Security
blog.redforce.io · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · details