Closed jquinard closed 4 years ago
plr0man
commented
4 years ago We could consider including basic PoC scenarios as well, like so:
P4 - Server-Side Injection > Server-Side Template Injection (SSTI) -> Basic
Varies - Server-Side Injection > Server-Side Template Injection (SSTI) -> Custom
plr0man
commented
4 years ago Another option:
P4 - Server-Side Injection > Server-Side Template Injection (SSTI) -> Unknown Impact
Varies - Server-Side Injection > Server-Side Template Injection (SSTI) -> Known Impact
plr0man
commented
4 years ago Looks like the originally proposed option "Basic/Custom" is favored by the team
Server-Side Template Injection is a real vuln type that is not addressed by the VRT. If there are no objections it should be added. I propose that we add it with a varying priority since the impact can range widely from P1 to P5 depending on the proof of concept. Proposed category:
Varies-Server-Side Injection>Server-Side Template Injection (SSTI)We also need to address the most basic of proof of concepts for these issues which is demonstrating a mathematical operation. (ex. {{5*5}}) Should we consider these as a P4 or a P5? They don't demonstrate impact but it doesn't mean that escalating this to RCE for example isn't possible. In short, is it worth triaging these as P4 so a client can have visibility and determine what the real priority should be?