PT-2021-15553 · Latte · Latte

Jiang

Published

2021-12-17

Updated

2022-01-06

CVE-2021-23803

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: latte/latte versions prior to 2.10.6

Description: The issue allows bypassing of allowFunctions restrictions, affecting the security of the application. When the template is set to allow or disallow certain functions, adding control characters (x00-x08) after the function bypasses these restrictions.

Recommendations: For versions prior to 2.10.6, update to version 2.10.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of functions that can be bypassed by control characters until a patch is applied. Avoid using control characters (x00-x08) after functions in templates to minimize the risk of exploitation.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2021-23803

GHSA-6PJ2-5FQQ-XVJC

SNYK-PHP-LATTELATTE-1932226

Affected Products

Latte

PT-2021-15553 · Latte · Latte

CVE-2021-23803

Weakness Enumeration

Related Identifiers

Affected Products

References · 13