A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page.
References
Link | Resource |
---|---|
https://github.com/craftercms/craftercms/issues/2677 | Exploit Third Party Advisory |
https://medium.com/%40buxuqua/rce-vulnerability-in-crafter-cms-server-side-template-injection-19d8708ce242 |
Configurations
History
07 Nov 2023, 02:55
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2018-12-06 07:29
Updated : 2024-02-28 16:48
NVD link : CVE-2018-19907
Mitre link : CVE-2018-19907
CVE.ORG link : CVE-2018-19907
JSON object : View
Products Affected
craftercms
- crafter_cms
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')