Vulnerability Description
Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea0
- https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-
- https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea0
- https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-
FAQ
What is CVE-2024-37301?
CVE-2024-37301 is a vulnerability with a CVSS score of 7.2 (HIGH). Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via se...
How severe is CVE-2024-37301?
CVE-2024-37301 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-37301?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.