CVE-2024-58303: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine (SSTI) in Flarum FriendsofFlarum Pretty Mail
FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.
AI Analysis
Technical Summary
FriendsofFlarum Pretty Mail 1.1.2 contains a CWE-1336 vulnerability involving improper neutralization of special elements in its template engine. This server-side template injection (SSTI) enables administrative users to execute system commands by inserting crafted expressions into email templates, which are processed during email generation. The CVSS 4.0 base score is 8.6, indicating high severity with network attack vector, low attack complexity, no user interaction, and high impacts on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows an attacker with administrative privileges to execute arbitrary system commands on the server hosting the Pretty Mail extension. This can lead to full compromise of the affected system, including data theft, service disruption, or further lateral movement within the environment. Since the vulnerability is in a template engine used for email generation, it may be triggered during normal email sending operations.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Users should restrict administrative access to trusted personnel only and monitor for unusual activity related to email template modifications. Check the vendor advisory regularly for updates or patches addressing this issue. Avoid using version 1.1.2 of FriendsofFlarum Pretty Mail in production environments until a fix is released.
CVE-2024-58303: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine (SSTI) in Flarum FriendsofFlarum Pretty Mail
Description
FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FriendsofFlarum Pretty Mail 1.1.2 contains a CWE-1336 vulnerability involving improper neutralization of special elements in its template engine. This server-side template injection (SSTI) enables administrative users to execute system commands by inserting crafted expressions into email templates, which are processed during email generation. The CVSS 4.0 base score is 8.6, indicating high severity with network attack vector, low attack complexity, no user interaction, and high impacts on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows an attacker with administrative privileges to execute arbitrary system commands on the server hosting the Pretty Mail extension. This can lead to full compromise of the affected system, including data theft, service disruption, or further lateral movement within the environment. Since the vulnerability is in a template engine used for email generation, it may be triggered during normal email sending operations.
Mitigation Recommendations
No official patch or remediation is currently available for this vulnerability. Users should restrict administrative access to trusted personnel only and monitor for unusual activity related to email template modifications. Check the vendor advisory regularly for updates or patches addressing this issue. Avoid using version 1.1.2 of FriendsofFlarum Pretty Mail in production environments until a fix is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-12-11T11:49:20.718Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 693b3df322246175c6a47135
Added to database: 12/11/2025, 9:56:03 PM
Last enriched: 4/7/2026, 10:54:59 PM
Last updated: 5/7/2026, 11:38:57 PM
Views: 144
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.