CVE-2021-23803 — Vulnetix

CVE-2021-23803 PUBLISHED

This affects the package latte/latte before 2.10.6. There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions.

EPSS 0.41% · 61.4th percentile

Risk Scores

EPSS Score

0.41%

61.4th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:16.04:LTS	php-nette	0, 2.3.4-1, 2.3.5-1
Ubuntu:18.04:LTS	php-nette	2.4-20160731-1, 2.4-20160731-1ubuntu0.1, 0

Exploit Intelligence

https://github.com/nette/latte/issues/279 (nist-nvd)
https://snyk.io/vuln/SNYK-PHP-LATTELATTE-1932226 (nist-nvd)
https://github.com/nette/latte/commit/227c86eda9a8a6d060ea8501923e768b6d992210 (circl)

Timeline

Dec 17, 2021 CVE Published
Dec 20, 2021 EPSS Score
Dec 27, 2021 CVE Updated
Feb 12, 2022 EPSS Score
Apr 7, 2022 EPSS Score
Jun 1, 2022 EPSS Score
Jul 26, 2022 EPSS Score
Nov 11, 2022 EPSS Score
Jan 4, 2023 EPSS Score
Feb 27, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 23, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2021-23803 third-party-advisory
https://github.com/nette/latte/commit/227c86eda9a8a6d060ea8501923e768b6d992210 third-party-advisory
https://github.com/nette/latte/issues/279 third-party-advisory
https://snyk.io/vuln/SNYK-PHP-LATTELATTE-1932226 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2021-23803 third-party-advisory

Open in Interactive Console →