CVE-2023-33570 – Bagisto v1.5.1 contains a Server-Side Template ... (How to Fix)

Q: What is the severity of CVE-2023-33570?

CVE-2023-33570 has a CVSS score of 8.8 (HIGH). Bagisto v1.5.1 contains a Server-Side Template Injection (SSTI) vulnerability that allows attackers to execute arbitrary code on the server. This affects all Bagisto installations running version 1.5.1. Successful exploitation can lead to complete system compromise.

📋 TL;DR

Bagisto v1.5.1 contains a Server-Side Template Injection (SSTI) vulnerability that allows attackers to execute arbitrary code on the server. This affects all Bagisto installations running version 1.5.1. Successful exploitation can lead to complete system compromise.

💻 Affected Systems

Products:

Bagisto

Versions: v1.5.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Bagisto installations running version 1.5.1 are vulnerable by default.

📦 What is this software?

Bagisto by Webkul

View all CVEs affecting Bagisto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated attackers achieving remote code execution to deploy malware, steal data, or pivot to internal networks.

🟢

If Mitigated

Attackers can still inject templates but code execution is prevented by proper input validation and sandboxing.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in referenced Medium article showing SSTI to RCE chain.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.5.2 or later

Vendor Advisory: https://bagisto.com/en/security/

Restart Required: Yes

Instructions:

1. Backup your Bagisto installation and database. 2. Update to Bagisto v1.5.2 or later via composer update. 3. Clear cache and restart web server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to reject template injection patterns

Implement validation in app/Http/Controllers/Controller.php to sanitize user inputs

WAF Rule

all

Deploy web application firewall rules to block SSTI payloads

Add WAF rules to detect and block {{, ${, <% patterns in requests

🧯 If You Can't Patch

Isolate Bagisto instance behind strict network segmentation
Implement application-level input validation to reject template syntax

🔍 How to Verify

Check if Vulnerable:

Check if Bagisto version is 1.5.1 via composer show bagisto/bagisto or version file

Check Version:

composer show bagisto/bagisto | grep version

Verify Fix Applied:

Verify version is 1.5.2 or later and test SSTI payloads no longer execute

📡 Detection & Monitoring

Log Indicators:

Unusual template rendering errors
Suspicious POST requests with template syntax
Unexpected process execution

Network Indicators:

Outbound connections from Bagisto server to unknown IPs
Unusual payloads in HTTP requests

SIEM Query:

source="bagisto_logs" AND ("{{*" OR "${*" OR "<%*")

📊 Metadata

CVE ID: CVE-2023-33570

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 28, 2023

Last Updated: November 27, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33570, you might also want to check these: