Server-Side Template Injection in Crafter CMS by Crafter Software
CVE-2018-19907

8.8HIGH

Key Information:

Vendor: Craftercms
Status: Crafter Cms
Vendor: CVE Published:; 6 December 2018

What is CVE-2018-19907?

A Server-Side Template Injection vulnerability exists in Crafter CMS version 3.0.18 that allows attackers with developer privileges to execute arbitrary operating system commands. This is achieved by manipulating a template file (.ftl) to invoke the freemarker.template.utility.Execute function during the web page rendering process. If exploited, this vulnerability could lead to unauthorized access and control over the affected system, underscoring the need for prompt remedial action and enhanced security practices.

References

https://medium.com/%40buxuqua/rce-vulnerability-in-crafte...

x_refsource_MISC

https://github.com/craftercms/craftercms/issues/2677

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2018
Vulnerability Reserved
Dec 6, 2018

Craftercms

What is CVE-2018-19907?

References

CVSS V3.1

Timeline