https://blog.qife122.com/tags/flarum/ Recent content in Flarum on 办公AI智能小助手 Hugo zh-cn qife Sat, 13 Dec 2025 17:58:41 +0800 https://blog.qife122.com/p/%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90flarum-pretty-mail%E6%8F%92%E4%BB%B6%E4%B8%AD%E7%9A%84%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%AB%AF%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5ssti%E9%A3%8E%E9%99%A9/ Sat, 13 Dec 2025 17:58:41 +0800 https://blog.qife122.com/p/%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90flarum-pretty-mail%E6%8F%92%E4%BB%B6%E4%B8%AD%E7%9A%84%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%AB%AF%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5ssti%E9%A3%8E%E9%99%A9/ <h3 id="cve-2024-58303-cwe-1336flarum-friendsofflarum-pretty-mail中模板引擎特殊元素的不当中和ssti">CVE-2024-58303: CWE-1336：Flarum FriendsofFlarum Pretty Mail中模板引擎特殊元素的不当中和（SSTI）</h3> <p><strong>严重性：高</strong> <strong>类型：漏洞</strong></p> <p>FoF Pretty Mail 1.1.2 包含一个服务器端模板注入漏洞，该漏洞允许管理员用户向电子邮件模板中注入恶意代码。攻击者可通过插入精心构造的模板表达式，在电子邮件生成期间触发任意代码执行，从而执行系统命令。</p>