CVE-2024-24724 is a critical Server Side Template Injection (SSTI) vulnerability found in the Gibbon education management system, specifically affecting versions through 26.0.00. The vulnerability resides in the messengerSettings.php script located in the /modules/School Admin/ directory. The root cause is the unsanitized passing of user-controlled input to the Twig template engine, which is used to render templates server-side. Twig, when improperly handled, can allow attackers to inject malicious template code that the engine executes, resulting in Remote Code Execution (RCE). This means an attacker can run arbitrary commands on the server hosting the Gibbon application without any authentication or user interaction. The vulnerability is classified under CWE-1336 (Improper Neutralization of Input During Template Processing), highlighting the failure to sanitize inputs before template rendering. The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability’s characteristics make it highly exploitable. The lack of available patches at the time of publication necessitates immediate attention from administrators to implement workarounds or mitigations. Given Gibbon’s role in managing sensitive educational data and administrative functions, exploitation could lead to data breaches, system takeover, and disruption of educational services.

The impact of CVE-2024-24724 is severe for organizations using the Gibbon platform, particularly educational institutions and school districts. Successful exploitation allows remote attackers to execute arbitrary code on the server, potentially leading to full system compromise. This can result in unauthorized access to sensitive student and staff data, manipulation or deletion of records, disruption of school administrative operations, and deployment of further malware or ransomware. The vulnerability’s ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread exploitation once public exploits emerge. Organizations may face regulatory and reputational damage due to data breaches and service outages. The critical nature of the vulnerability demands urgent remediation to prevent attackers from leveraging this flaw to gain persistent access or pivot within the network.

1. Immediate mitigation should include restricting access to the /modules/School Admin/messengerSettings.php endpoint via network controls such as firewalls or web application firewalls (WAFs) to limit exposure. 2. Implement input validation and sanitization at the application layer to ensure that any data passed to the Twig template engine is properly escaped or filtered. 3. Monitor application logs for unusual requests targeting the messengerSettings.php script or attempts to inject template syntax. 4. If possible, disable or isolate the vulnerable module until an official patch is released by the Gibbon development team. 5. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block suspicious code execution attempts. 6. Keep the Gibbon platform and all dependencies up to date and subscribe to vendor security advisories for timely patch deployment. 7. Conduct a thorough security review of all template rendering code to identify and remediate similar injection risks. 8. Educate administrators and developers on secure template handling practices to prevent future SSTI vulnerabilities.