PT-2024-20866 · Mjml-App · Mjml-App
Published
2024-03-01
·
Updated
2025-05-13
·
CVE-2024-25293
CVSS v3.1
9.3
Critical
| Vector | AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
mjml-app versions 3.0.4 through 3.1.0-beta
Description
The issue allows for remote code execution (RCE) via the
href attribute.Recommendations
For versions 3.0.4 and 3.1.0-beta, consider restricting access to the
href attribute until a patch is available.
As a temporary workaround, avoid using the href attribute in affected API endpoints or modules until the issue is resolved.Exploit
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mjml-App