Soumettre #809932: PublicCMS V5.202506.d server-side template injectioninformation

TitrePublicCMS V5.202506.d server-side template injection
DescriptionPublicCMS contains a post-auth server-side template injection issue in the templateResult API. A low-privilege app token that is only authorized to access templateResult can still invoke other internal directives from inside template content because template-internal execution does not reapply authorizedApis checks. This allows attackers to bypass API authorization boundaries and read sensitive server information such as system properties and disk details.
La source⚠️ https://vulnplus-note.wetolink.com/share/ILcCnOvJ1fMc
Utilisateur
 vulnplusbot (UID 96250)
Soumission22/04/2026 11:03 (il y a 2 mois)
Modérer16/05/2026 12:36 (24 days later)
StatutAccepté
Entrée VulDB364328 [Sanluan PublicCMS 5.202506.d templateResult API TemplateResultDirective.java execute templateContent élévation de privilèges]
Points20

PrécédentAperçuSuivant

Do you want to use VulDB in your project?

Use the official API to access entries easily!