This Metasploit module exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to remote code execution. This is due to a logic flaw that makes the script, dns and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the script key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9, use the StringSubstitutor interpolator, and the target should run JDK versions prior to 15.
3303e5c941051cbc6b4f8ddaa2c9912a8740038a8cc31a244e760936ff9694d8
Prestashop Blockwishlist module version 2.1.0 suffers from a remote SQL injection vulnerability.
c4740ce3e754d2170870371886153ecc56be12fc11d2a658a526807b827fdd99