SSTI in mblog 3.5.1 - A tale of a glorified RCE (CVE-2024-28713)

SSTI in mblog 3.5.1 - A tale of a glorified RCE (CVE-2024-28713)

CVEs

9.8 Critical Severity

Screenshots from the blog posts

images/clv2fxknmnk211imx6rje2zyt.jpgimages/clv2fxknmnk211imx6rje2zyt.jpg

Summary

A Server-Side Template Injection (SSTI) vulnerability exists in in Mblog Blog system v.3.5.0, allowing an attacker to execute arbitrary code by uploading a malicious theme. This post unravels the mystery by exploring of this CVE and digs deeper into the process of exploiting the target from knowing nothing about it to having a full-blown root shell on the underlying OS!

Description

@secatgourity

185 posts

Total vcoins

121.1K

Social media links

Comments (0)