CVE-2024-37621 – StrongShop v1.0 contains a Server-Side Template... (How to Fix)

Q: What is the severity of CVE-2024-37621?

CVE-2024-37621 has a CVSS score of 7.2 (HIGH). StrongShop v1.0 contains a Server-Side Template Injection (SSTI) vulnerability in the /shippingOptionConfig/index.blade.php component. This allows attackers to execute arbitrary code on the server by injecting malicious template expressions. All users running StrongShop v1.0 are affected.

📋 TL;DR

StrongShop v1.0 contains a Server-Side Template Injection (SSTI) vulnerability in the /shippingOptionConfig/index.blade.php component. This allows attackers to execute arbitrary code on the server by injecting malicious template expressions. All users running StrongShop v1.0 are affected.

💻 Affected Systems

Products:

StrongShop

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of StrongShop v1.0. No special configuration is required for exploitation.

📦 What is this software?

Strongshop by Strongshop

View all CVEs affecting Strongshop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data theft, and potential lateral movement within the network.

🟠

Likely Case

Arbitrary code execution allowing attackers to read sensitive files, modify application data, or establish persistence on the server.

🟢

If Mitigated

Limited impact with proper input validation and template sandboxing in place, potentially reduced to information disclosure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSTI vulnerabilities in PHP applications are frequently weaponized. The public GitHub issue provides technical details that could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.strongshop.cn

Restart Required: No

Instructions:

No official patch is available. Monitor the vendor website for updates. Consider upgrading to a newer version if available.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for all user-controlled parameters passed to template rendering functions.

Template Engine Configuration

all

Configure the template engine to use a sandboxed environment with restricted access to dangerous functions.

🧯 If You Can't Patch

Restrict access to the vulnerable endpoint using web application firewall (WAF) rules or network access controls.
Implement network segmentation to isolate the StrongShop server from sensitive systems and data.

🔍 How to Verify

Check if Vulnerable:

Check if you are running StrongShop v1.0. Review the /shippingOptionConfig/index.blade.php file for improper handling of user input in template rendering.

Check Version:

Check the application version in the admin panel or configuration files.

Verify Fix Applied:

Verify that user input is properly validated and sanitized before being processed by the template engine.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /shippingOptionConfig/index.blade.php with template syntax payloads
Unexpected system command execution in application logs

Network Indicators:

HTTP requests containing template injection payloads (e.g., {{, ${, #{) to the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="/shippingOptionConfig/index.blade.php" AND (payload="{{*" OR payload="${*" OR payload="#{*")

📊 Metadata

CVE ID: CVE-2024-37621

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-97

Published: June 17, 2024

Last Updated: June 20, 2025

🔗 References

https://github.com/Hebing123/cve/issues/47 Exploit
https://www.strongshop.cn Product
https://github.com/Hebing123/cve/issues/47 Exploit
https://www.strongshop.cn Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37621, you might also want to check these: