CVE-2023-26546

Published: May 2, 2023Modified: Jan 30, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection (SSTI) with a crafted template file. The attacker must have template manager permission.

Affected (1)

Products: Echa.europa: Iuclid

Echa.europa

1 product

Iuclid

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Echa.europa Iuclid	From 5.15.0 to 6.27.6

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

https://iuclid6.echa.europa.eu

Source: cve@mitre.org

Product

https://iuclid6.echa.europa.eu/documents/1387205/1809530/note_v6.27.6.pdf/76545a65-e6be-6486-280a-7d7c3d2ad455?t=1677577170669

Source: cve@mitre.org

MitigationVendor Advisory

https://iuclid6.echa.europa.eu/download

Source: cve@mitre.org

Product

https://iuclid6.echa.europa.eu

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://iuclid6.echa.europa.eu/documents/1387205/1809530/note_v6.27.6.pdf/76545a65-e6be-6486-280a-7d7c3d2ad455?t=1677577170669

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

https://iuclid6.echa.europa.eu/download

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.