Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
Vulnerability Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
CWE-1336
Vulnerability Title
listmonk 安全漏洞
Vulnerability Description
listmonk是Kailash Nadh个人开发者的一个具有现代仪表板的高性能、自托管、时事通讯和邮件列表管理器。 listmonk 5.0.2之前版本存在安全漏洞,该漏洞源于模板函数捕获环境变量,可能导致敏感信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A