vendor:
PlaySMS
by:
Touhid M.Shaikh, Lucas Rosevear
9.8
CVSS
CRITICAL
Server-Side Template Injection
79
CWE
Product Name: PlaySMS
Affected Version From: Before 1.4.3
Affected Version To: 1.4.2003
Patch Exists: YES
Related CWE: CVE-2020-8644
CPE: a:playsms:playsms
Metasploit:
https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2019-8644/, https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2019-8644/, https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2019-8644/, https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2019-8644/
Tags: unauth,kev,packetstorm,cve,cve2020,ssti,playsms,rce
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References:
https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/, https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/, https://nvd.nist.gov/vuln/detail/CVE-2020-8644, http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.html, https://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704
Nuclei Metadata: {'max-request': 2, 'vendor': 'playsms', 'product': 'playsms'}
Platforms Tested:
2020
PlaySMS index.php Unauthenticated Template Injection Code Execution
This module exploits a preauth Server-Side Template Injection vulnerability in PlaySMS before version 1.4.3, leading to remote code execution. The vulnerability is caused by double processing a server-side template with a custom PHP template system called 'TPL', which is used in the PlaySMS template engine. An attacker can submit a username with a malicious payload, which is stored in a TPL template. When the template is rendered a second time, code execution occurs. The TPL template language is vulnerable to PHP code injection.
Mitigation:
Update PlaySMS to version 1.4.3 or later.
