Home > Vulnerability Database > CVE-2024-37301

Mend.io Vulnerability Database

CVE-2024-37301

Good to know:

Date: June 11, 2024

Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.

Language: Python

Severity Score

9.9

Related Resources (5)

Url: https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074

Url: https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6

Url: https://github.com/adfinis/document-merge-service

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-37301

Url: https://www.mend.io/vulnerability-database/CVE-2024-37301

Severity Score

9.9

Weakness Type (CWE)

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336

Top Fix

Upgrade Version

Upgrade to version document-merge-service - 6.5.2

Learn More

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-37301

Good to know:

Date: June 11, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?