CVE-2024-54954

CVE-2024-54954 is a template injection vulnerability affecting OneBlog version 2.3.6, specifically in the template management department. This flaw, classified under CWE-1336, allows improper handling of user-supplied input in templates, enabling malicious code execution within the templating engine. The vulnerability received a CVSS v3.1 base score of 8.0, reflecting its high severity due to network accessibility and significant impact potential.

An attacker with low privileges (PR:L), such as an authenticated user, can exploit this over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R), like clicking a malicious link or input. Successful exploitation grants high confidentiality (C:H), integrity (I:H), and availability (A:H) impacts without changing scope (S:U), potentially leading to full server compromise, data exfiltration, or arbitrary code execution on the affected OneBlog instance.

Advisories and additional details, including potential patches or workarounds, are documented in references such as the GitHub Gist at https://gist.github.com/kaoniniang2/03658cc78e789b992b378f4951bedfb7 and the Gitee issue tracker at https://gitee.com/yadong.zhang/DBlog/issues/IB6552. Security practitioners should review these for version-specific mitigation guidance.