Server Side Template Injection in CraftCMS

Along with CVE-2021-27902, I also reported SSTI vulnerability in CraftCMS, assigned CVE-2021-27903. The vulnerability involved multiple chained issues: broken access control, misconfigured volume aliases, and lack of sandbox enforcement in Twig. By configuring a volume to point outside the public directory (e.g., @config/../templates), I could upload a malicious Twig file directly into the templates directory. Once uploaded, I created a route to execute the Twig file, escaping the sandbox using Twig filters (e.g., {{ ['id']|filter('system') }}) to achieve remote code execution. The exploit chain was triggered via an XSS payload, completing the attack from stored XSS to RCE.

References