Credit: StrCXY
Server-Side Template Injection in Dispatch Message Templates
Authenticated users can achieve Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) using Dispatch's notification functionality if their instance contains an enabled message template containing malicious code.
Admin users have full access to create, edit, and delete these message templates. Non-admins can also exploit this vulnerability if they are the first to create a message template as they do not have the permissions to edit an existing message template.
All versions of Dispatch before #5002 are impacted and should be patched immediately.
To determine if your Dispatch deployment is affected, locate the version number (GitHub commit hash) in the help dropdown from the top menu bar. If this hash value comes after the fix c1626bf, your deployment is not impacted.
Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out.
This issue was fixed in #5002 and a new release with the fix was created. Please, upgrade your Dispatch instances to the new version. View in-repo security advisory here.