Bagisto Server-Side Template Injection Vulnerability in User Profile Management

A server-side template injection vulnerability has been identified in Bagisto, an open-source Laravel eCommerce platform. This issue affects versions prior to 2.3.10 and arises in the customer account profile section, where low-privilege users can inject template syntax into the first and last name fields. The injected expression is executed on the server, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability could allow for server-side template injection, with the possibility of executing arbitrary code on the server.

Reproduction

To reproduce this vulnerability, log in or sign up on a Bagisto installation running version 2.3.9 or prior. Navigate to the customer account profile page and edit the first name and last name fields. Inject a template expression, such as a mathematical operation, and observe that the expression is executed and the result is displayed, indicating successful exploitation of the server-side template injection vulnerability.

Remediation

Users can upgrade to Bagisto version 2.3.10 or later to address this vulnerability.