CVE-2024-24724
CVE-2024-24724
In short
Gibbon up to version 26.0.00 has a flaw where user input is directly sent to the Twig template engine without being cleaned, allowing attackers to inject malicious code that executes on the server.
Technical detail
A Server-Side Template Injection (SSTI) vulnerability exists in /modules/School%20Admin/messengerSettings.php where unsanitized user input is passed to the Twig template engine, enabling remote code execution. An attacker can craft malicious template syntax to execute arbitrary commands on the server. No authentication bypass is required if the endpoint is accessible.
Summary generated and translated by AI from the official description.
Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 2
cve_referencepacketstormsecurity.com/files/177857unverifiedexploitdbwww.exploit-db.com/exploits/51962unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →