CVE-2018-1000854: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

December 21, 2018 (updated September 14, 2021)

esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. This attack appear to be exploitable via Use of another weakness in backend application to reflect ESI directives. This vulnerability appears to have been fixed in 5.3.

References

github.com/advisories/GHSA-hjm9-576q-399p
github.com/esigate/esigate/issues/209
nvd.nist.gov/vuln/detail/CVE-2018-1000854

Detect and mitigate CVE-2018-1000854 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →