CVE-2018-19907
Summary
| CVE | CVE-2018-19907 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2018-12-06 07:29:00 UTC |
|---|
| Updated | 2023-11-07 02:55:00 UTC |
|---|
| Description | A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| RCE Vulnerability in Crafter CMS — Server-Side Template Injection | by … | Medium |
|
medium.com |
|
| RCE Vulnerability in Crafter CMS — Server-Side Template Injection | by … | Medium |
MISC |
medium.com |
Exploit, Third Party Advisory |
| Critical vulnerability: Server-Side Template Injection/ RCE Attack · Issue #2677 · craftercms/craftercms · GitHub |
MISC |
github.com |
Exploit, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 981165 Java (maven) Security Update for org.craftercms:crafter-studio (GHSA-9fcp-vcq9-9h2h)
