CVE-2020-28246

Name of the Vulnerable Software and Affected Versions Form.io version 2.0.0

Description A Server-Side Template Injection (SSTI) issue was discovered, leading to Remote Code Execution during the deletion of the default Email template URL. The email templating service was removed after 2020. The vendor disputes this issue, indicating it is sandboxed and only executable by admins.

Recommendations For Form.io version 2.0.0, as a temporary workaround, consider restricting access to the default Email template URL deletion functionality until a patch is available. Additionally, since the email templating service was removed after 2020, ensuring this service is not re-enabled can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.