Vulnerability Description
This affects the package latte/latte before 2.10.6. There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nette | Latte | < 2.10.6 |
Related Weaknesses (CWE)
References
- https://github.com/nette/latte/commit/227c86eda9a8a6d060ea8501923e768b6d992210PatchThird Party Advisory
- https://github.com/nette/latte/issues/279ExploitIssue TrackingPatch
- https://snyk.io/vuln/SNYK-PHP-LATTELATTE-1932226ExploitPatchThird Party Advisory
- https://github.com/nette/latte/commit/227c86eda9a8a6d060ea8501923e768b6d992210PatchThird Party Advisory
- https://github.com/nette/latte/issues/279ExploitIssue TrackingPatch
- https://snyk.io/vuln/SNYK-PHP-LATTELATTE-1932226ExploitPatchThird Party Advisory
FAQ
What is CVE-2021-23803?
CVE-2021-23803 is a vulnerability with a CVSS score of 9.8 (CRITICAL). This affects the package latte/latte before 2.10.6. There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of cert...
How severe is CVE-2021-23803?
CVE-2021-23803 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-23803?
Check the references section above for vendor advisories and patch information. Affected products include: Nette Latte.