CVE-2024-37301

Published: Jun 11, 2024

Modified: Feb 4, 2026

PUBLISHED

CVSS v3.1

7.2

HIGH

Description

Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.

Vendor	Product	Versions
adfinis	document-merge-service	affected `< 6.5.2`

Weaknesses (CWE)

CWE-1336

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6

x_refsource_CONFIRM

https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-37301

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References