Login Sign Up

CVE-2021-46114

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-46114 is a remote code execution vulnerability in JPress v4.2.0 that allows authenticated attackers with admin panel access to inject malicious code into email templates. This vulnerability affects all JPress installations running the vulnerable version, potentially compromising the entire server.

💻 Affected Systems

Products:
  • JPress
Versions: v4.2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin panel access to exploit. All JPress installations running v4.2.0 are vulnerable by default.

📦 What is this software?

Jpress by Jpress

View all CVEs affecting Jpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Attackers with admin credentials can execute arbitrary code on the server, potentially gaining full control of the JPress installation and underlying system.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to the JPress application and isolated systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials. The vulnerability is in the email template editing function where code injection is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.2.1 or later

Vendor Advisory: https://github.com/JPressProjects/jpress/issues/172

Restart Required: Yes

Instructions:

1. Backup your JPress installation and database. 2. Download the latest version from GitHub. 3. Replace the vulnerable files with patched versions. 4. Restart the JPress application server.

🔧 Temporary Workarounds

Disable Admin Panel Access

all

Temporarily restrict access to the admin panel to prevent exploitation

# Configure firewall rules to block admin panel access
# Use web server configuration to restrict /admin paths

Remove Email Template Editing Permissions

all

Modify admin role permissions to remove email template editing capabilities

# Edit JPress role configuration to remove product notify template permissions

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the JPress server
  • Enable detailed logging and monitoring for admin panel activities and email template modifications

🔍 How to Verify

Check if Vulnerable:

Check JPress version in admin panel or by examining the application files. Version 4.2.0 is vulnerable.

Check Version:

Check JPress admin dashboard or examine jpress-core-*.jar file version

Verify Fix Applied:

Verify the version has been updated to 4.2.1 or later and test email template editing functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual admin login attempts
  • Email template modification logs
  • Unusual process execution from JPress context

Network Indicators:

  • Unexpected outbound connections from JPress server
  • Suspicious payloads in HTTP requests to admin endpoints

SIEM Query:

source="jpress" AND (event="template_edit" OR event="admin_login")

📊 Metadata

CVE ID: CVE-2021-46114
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: January 26, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46114, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)