CVE-2018-19907

Name of the Vulnerable Software and Affected Versions Crafter CMS version 3.0.18

Description A Server-Side Template Injection issue allows attackers with developer privileges to execute OS commands by creating or editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page.

Recommendations For Crafter CMS version 3.0.18, consider restricting access to template file creation and editing to prevent potential exploitation until a patch is available. As a temporary workaround, consider disabling the use of the FreeMarker library or restricting its functionality to minimize the risk of OS command execution.