IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All instances have been patched by the Supplier.
The smartyValidator.php file accepts user input without proper validation and passes it directly to the Smarty template engine. An attacker can provide specially crafted template expressions that will be processed server-side. This mechanism is classified as Server-Side Template Injection (SSTI) — the attacker does not need to possess any credentials, and the attack is possible remotely over the network.
An attacker gains the ability to remotely execute arbitrary code (RCE) on the server without authentication, which can lead to complete system compromise, data theft, and integrity violation of the environment.
The vendor (IPW Systems) has applied patches to all instances of the product. Contact the vendor and confirm that your environment has been updated; if in doubt, apply patches available from the vendor according to the references.
IPW Systems Metazo in all versions up to and including 8.1.3.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NIpwsystems Metazo
APPIpwsystems≤ 8.1.13