CRITICAL🇵🇱 Wersja polska

CVE-2025-46661

CVSS 10.0v3.1pub. 2025-04-28upd. 2025-05-12

IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All instances have been patched by the Supplier.

🤖 AI Analysis
How it works

The smartyValidator.php file accepts user input without proper validation and passes it directly to the Smarty template engine. An attacker can provide specially crafted template expressions that will be processed server-side. This mechanism is classified as Server-Side Template Injection (SSTI) — the attacker does not need to possess any credentials, and the attack is possible remotely over the network.

Impact

An attacker gains the ability to remotely execute arbitrary code (RCE) on the server without authentication, which can lead to complete system compromise, data theft, and integrity violation of the environment.

Mitigation & patch

The vendor (IPW Systems) has applied patches to all instances of the product. Contact the vendor and confirm that your environment has been updated; if in doubt, apply patches available from the vendor according to the references.

Who is affected

IPW Systems Metazo in all versions up to and including 8.1.3.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Ipwsystems Metazo

    APP
    Ipwsystems
    ≤ 8.1.13
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References