An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.
The Webhook Template component does not properly neutralize user-supplied input, leading to a Server Side Template Injection (SSTI) vulnerability (CWE-1336). An attacker can inject malicious template expressions into the Webhook Template field, which are then interpreted and executed on the server side. This allows an attacker to gain control over the server process and execute arbitrary system commands.
A remote authenticated attacker can execute arbitrary code on the server hosting Crafty Controller, which may result in complete system compromise, data theft, and lateral movement within the internal network.
Apply patches available from the vendor according to the references (https://gitlab.com/crafty-controller/crafty-4/-/issues/646). Until the update is applied, restrict access to the Crafty Controller interface only to trusted users and monitor the activity of accounts with permissions to configure Webhook Template.
Craftycontrol Crafty Controller — versions indicated in the vendor's references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HCraftycontrol Crafty Controller
APPCraftycontrol4.6.1
Related vulnerabilities
IDOR w Crafty Controller — nieautoryzowana modyfikacja kont użytkowników
Path Traversal umożliwiający RCE w Crafty Controller (File Operations API)
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remo...
An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unaut...
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller...