GHSA-4rmr-c2jx-vx27

Source

https://github.com/advisories/GHSA-4rmr-c2jx-vx27

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-4rmr-c2jx-vx27/GHSA-4rmr-c2jx-vx27.json

Aliases

CVE-2022-0323

Published

2022-01-27T14:51:00Z

Modified

2024-02-16T07:59:53.974944Z

Details

In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strict_callables is true when section value is controllable.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-0323
https://github.com/bobthecow/mustache.php/commit/579ffa5c96e1d292c060b3dd62811ff01ad8c24e
https://github.com/FriendsOfPHP/security-advisories/blob/master/mustache/mustache/CVE-2022-0323.yaml
https://github.com/bobthecow/mustache.php
https://github.com/bobthecow/mustache.php/releases/tag/v2.14.1
https://huntr.dev/bounties/a5f5a988-aa52-4443-839d-299a63f44fb7

Affected packages

Packagist / mustache/mustache

Package

Name: mustache/mustache

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.14.1

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

v2.2.0

v2.3.0

v2.3.1

v2.4.0

v2.4.1

v2.5.0

v2.5.1

v2.6.0

v2.6.1

v2.7.0

v2.8.0

v2.9.0

v2.10.0

v2.11.0

v2.11.1

v2.12.0

v2.13.0

v2.14.0