CVE-2020-8644 Scanner
Detects 'Server Side Template Injection (SSTI)' vulnerability in PlaySMS affects v. before 1.4.3.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 second
Time Interval
1 month
Scan only one
Domain, Ipv4
Toolbox
-
PlaySMS is an open-source web-based application used for sending and receiving SMS messages. This platform enables users to send messages in bulk and manage them using a web interface or through a mobile app. It is widely used in various industries, including healthcare, finance, marketing, and education. PlaySMS provides a simple, yet effective way for businesses to reach out to their clients quickly and efficiently.
CVE-2020-8644 is a critical vulnerability detected in PlaySMS before version 1.4.3. This vulnerability allows attackers to exploit a pre-auth server-side template injection flaw that leads to remote code execution. The issue occurs due to a double processing of a server-side template with a custom PHP template system called TPL. Attackers can submit a malicious payload via a username and store it in a TPL template. When the template is rendered a second time, it results in code execution.
Exploiting this vulnerability can lead to devastating consequences for businesses using PlaySMS. Attackers can gain unauthorized access to sensitive data, manipulate SMS messages, and even take over the entire system. This would result in significant losses to businesses, including financial, reputational, and legal penalties.
Thanks to the pro features offered by the s4e.io platform, businesses can quickly and easily learn about vulnerabilities in their digital assets. By subscribing to this service, businesses can stay ahead of potential threats and take proactive measures to protect their systems. The platform offers a comprehensive range of features that enable businesses to detect, prioritize and manage vulnerabilities effectively. By using this service, businesses can ensure the security of their digital assets and mitigate the risk of cyber attacks.
REFERENCES
- http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.html
- https://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704
- https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/
- https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/