Description
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution.
Remediation
References
Related Vulnerabilities
WordPress User-Agent SQL Injection Vulnerability (1.5.2)
PrestaShop Improper Authentication Vulnerability (CVE-2020-15079)
Drupal Core 9.0.0 Cross-Site Request Forgery (9.0.0)
RubyGems Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-8324)
WordPress Plugin Quiz and Survey Master (QSM)-Easy Quiz and Survey Maker SQL Injection (7.1.11)