BuildMaster Configuration File Template XSLT RCE
In October of 2017 I discovered a vulnerability in Inedo BuildMaster 5.8.1 related to the use of configuration file templates which allowed for RCE. This vulnerability could be exploited by an authenticated user directly, or by exploiting multiple CSRF vulnerabilities without the user’s knowledge in some cases.