CVE-2024-25624: iris-web vulnerable to Server Side Template Injection in reports
First published: Thu Apr 25 2024(Updated: )
Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. Due to an improper setup of Jinja2 environment, reports generation in `iris-web` is prone to a Server Side Template Injection (SSTI). Successful exploitation of the vulnerability can lead to an arbitrary Remote Code Execution. An authenticated administrator has to upload a crafted report template containing the payload. Upon generation of a report based on the weaponized report, any user can trigger the vulnerability. The vulnerability is patched in IRIS v2.4.6. No workaround is available. It is recommended to update as soon as possible. Until patching, review the report templates and keep the administrative privileges that include the upload of report templates limited to dedicated users.
Credit: security-advisories@github.com
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/first-publish-date
- agent/title
- agent/description
- agent/type
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/last-modified-date
- agent/tags
- agent/event