CVE-2024-6947: 
NixOS vulnerability analysis and mitigation

A critical code injection vulnerability was discovered in Flute CMS version 0.2.2.4-alpha. The vulnerability affects the replaceContent function within the app/Core/Support/ContentParser.php file, specifically in the Notification Handler component. The issue was disclosed on July 21, 2024, and has been assigned identifier CVE-2024-6947 (NVD, VulDB).

The vulnerability exists in the notification template system where the replaceContent() function processes user-provided content containing template variables. While the system has predefined templates ({name}, {login}, {email}, and {balance}), the function continues to process any content within {} brackets through the evaluateExpression() function. This implementation flaw allows for arbitrary code execution through template injection. The vulnerability has received a CVSS v3.1 base score of 8.8 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows remote attackers to execute arbitrary system commands through template injection in the notification content. This can lead to complete system compromise, as demonstrated by the ability to execute system commands like {system("whoami")} through the notification system (GitHub).

No official patches or mitigations have been publicly announced by the vendor at the time of this report. Organizations using Flute CMS 0.2.2.4-alpha should consider restricting access to the notification system and monitoring for suspicious activity (NVD).