CVE-2017-14198

HIGH

Squiz Matrix < 5.3.6.1 and 5.4.x < 5.4.1.3 - Authenticated Remote Code Execution via Time Format Tag

Title source: llm
STIX 2.1

Description

An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before 5.4.1.3. Authenticated users with permissions to edit design assets can cause Remote Code Execution (RCE) via a maliciously crafted time_format tag.

References (1)

Core 1
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
http://devalias.net/devalias/2017/09/07/squiz-matrix-multiple-vulnerabilities/

Scores

CVSS v3 8.8
EPSS 0.0177
EPSS Percentile 75.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (8)
squiz/matrix 5.4.0.0
squiz/matrix 5.4.0.1
squiz/matrix 5.4.0.2
squiz/matrix 5.4.0.3
squiz/matrix 5.4.1.0
squiz/matrix 5.4.1.1
squiz/matrix 5.4.1.2
squiz/matrix < 5.3.6.0
Published Nov 30, 2017
Tracked Since Feb 18, 2026