Bagisto Server-Side Template Injection Vulnerability in Product Descriptions

A Server-Side Template Injection (SSTI) vulnerability has been identified in Bagisto version 2.3.7. This issue arises from unsanitized user input in product descriptions, which is processed by the server-side templating engine. As a result, an attacker with product creation privileges can inject arbitrary template expressions that are evaluated by the backend, potentially leading to Remote Code Execution (RCE) on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server. Additionally, it could lead to a data breach by accessing sensitive environment variables, API keys, or database credentials. The vulnerability also allows for the injection of malicious scripts or backdoors into dynamic templates, and could be used to escalate privileges within the application.

Reproduction

To reproduce this vulnerability, create a product in Bagisto v2.3.7 and enter a payload into the description that includes template expressions. Once the product is saved, preview the page to see that the injected template code has been executed and displayed.

Remediation

Users can upgrade to Bagisto version 2.3.8, where this vulnerability has been fixed.