Login Sign Up

CVE-2023-29689

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

PyroCMS 3.9 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code on affected systems. This remote code execution vulnerability affects all PyroCMS 3.9 installations with default configurations. Attackers can compromise the entire server through this flaw.

💻 Affected Systems

Products:
  • PyroCMS
Versions: 3.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All PyroCMS 3.9 installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Pyrocms by Pyrocms

View all CVEs affecting Pyrocms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Webshell installation, credential harvesting, data exfiltration, and use as pivot point for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and monitoring are in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available. Attack requires only HTTP access to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Upgrade to a supported version or implement workarounds.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Implement web application firewall rules to block template injection patterns

# Example ModSecurity rule: SecRule ARGS "\{\{.*\}\}" "id:1001,phase:2,deny,status:403,msg:'SSTI Attempt'"
# Add to WAF configuration

Input Validation Filter

all

Add input validation to filter template syntax from user inputs

# PHP example: $input = preg_replace('/\{\{.*\}\}/', '', $_POST['input']);
# Implement in vulnerable template processing functions

🧯 If You Can't Patch

  • Isolate affected systems in separate network segment with strict egress filtering
  • Implement application-level monitoring for suspicious template processing patterns

🔍 How to Verify

Check if Vulnerable:

Check if running PyroCMS version 3.9. Test with safe payload: {{7*7}} should return 49 if vulnerable.

Check Version:

Check PyroCMS configuration files or admin panel for version information

Verify Fix Applied:

Test with same payload after implementing workarounds - should not execute template code.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing template syntax {{ }} in parameters
  • Unusual process execution from web server user
  • Large outbound data transfers from web server

Network Indicators:

  • HTTP POST requests with template injection patterns
  • Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND ("{{.*}}" OR "\{\{.*\}\}")

📊 Metadata

CVE ID: CVE-2023-29689
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: August 4, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON