CVE-2021-46703: 
C# vulnerability analysis and mitigation

In the IsolatedRazorEngine component of Antaris RazorEngine through version 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment when users can externally control template contents. This vulnerability was discovered in March 2022 and affects products that are no longer supported by the maintainer (NVD, MITRE).

The vulnerability exists in the IsolatedRazorEngineService component which uses Code Access Security (CAS) internally. The security issue arises because CAS has been obsoleted and is no longer supported on latest platform updates (.NET 5/6 / .Net Core). Additionally, Microsoft will no longer provide patches for security issues related to CAS. The vulnerability can be exploited through template manipulation using dynamic code execution and RazorDynamicObject (GitHub Issue). The CVSS v3.1 base score is 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary .NET code within the sandboxed environment. This could potentially lead to unauthorized code execution and compromise of the affected system's security boundaries (NVD).

Users depending on IsolatedRazorEngineService for security are urged to redesign their security approach. A temporary fix involves applying a patch that disables 'dynamic' functionality, but this is not a long-term solution. The maintainers recommend against using string concatenation with untrusted user inputs in templates and suggest using @ Syntax-Elements instead (GitHub Issue).