Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI).
SSTI (Server-Side Template Injection) involves injecting malicious code into a template processed on the server side. An attacker provides specially crafted input data that the template engine interprets and executes as code instead of treating it as plain text. In the case of the vulnerability classified as CWE-1336, this means improper neutralization of input data in templates, which enables the execution of arbitrary instructions in the context of the application or operating system.
An attacker can gain full control over the server, including reading and modifying sensitive data, executing arbitrary system commands (RCE), and potentially conducting lateral movement within the victim's infrastructure.
Netaxis API Orchestrator should be updated to version 0.19.3 or later. It is also recommended to restrict network access to the API interface only to trusted sources as a complementary security measure.
Netaxis API Orchestrator (APIO) in versions prior to 0.19.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNetaxis Api Orchestrator
APPNetaxis< 0.19.3