CVE-2024-58303

FoF Pretty Mail 1.1.2 Server Side Template Injection via Email Template Settings

CVSS 8.6 HIGHEPSS 0.5%CWE-1336

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.6EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

11 dic 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Productos afectados

Flarum · FriendsofFlarum Pretty Mail

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://flarum.org/https://github.com/FriendsOfFlarum/pretty-mail https://www.exploit-db.com/exploits/51948 https://www.vulncheck.com/advisories/fof-pretty-mail-server-side-template-injection-via-email-template-settings