PT-2024-20519 · Twig+1 · Twig+1

Published

2024-04-02

Updated

2024-08-16

CVE-2024-24724

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Gibbon versions through 26.0.00

Description The issue allows for Server Side Template Injection leading to Remote Code Execution. This occurs because input is passed to the Twig template engine in messengerSettings.php without sanitization, specifically through the /modules/School Admin/messengerSettings.php endpoint.

Recommendations For versions through 26.0.00, consider disabling access to the /modules/School Admin/messengerSettings.php endpoint until a patch is available. Restrict input passed to the Twig template engine to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336

Related Identifiers

CVE-2024-24724

Affected Products

Gibbon

Twig

PT-2024-20519 · Twig+1 · Twig+1

CVE-2024-24724

Weakness Enumeration

Related Identifiers

Affected Products

References · 10