Server-Side Template Injection

Description

The application is vulnerable to Server-Side Template Injection (SSTI), which enables attackers to manipulate templates on the server side. This vulnerability arises when untrusted user input is directly used in server-side templates without adequate sanitization. Attackers can exploit this weakness to inject and execute arbitrary code in templates, potentially compromising the system’s integrity and confidentiality.

Remediation

User-controlled data should always have special elements neutralized when used as part of constructing Expression Language statements. Consult the documentation for the template system in use on how properly neutralize user-controlled data.

Details

ID Aggregated CWE Type Risk
1336.1 false 1336 Active high