CVE-2020-12736
HIGHCode42 < 7.0.4 - Remote Code Execution via Email Invitation Subject Template Injection
Title source: llmDescription
Code42 environments with on-premises server versions 7.0.4 and earlier allow for possible remote code execution. When an administrator creates a local (non-SSO) user via a Code42-generated email, the administrator has the option to modify content for the email invitation. If the administrator entered template language code in the subject line, that code could be interpreted by the email generation services, potentially resulting in server-side code injection.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://support.code42.com/Release_Notes
Vendor Advisory x_refsource_confirm
https://code42.com/r/support/CVE-2020-12736
Scores
CVSS v3
7.2
EPSS
0.0203
EPSS Percentile
78.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-74
Status
published
Products (1)
code42/code42
< 7.0.4
Published
Jul 07, 2020
Tracked Since
Feb 18, 2026