CVE-2015-0249

Name of the Vulnerable Software and Affected Versions Apache Roller versions 5.1 through 5.1.1

Description The issue allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (VTL) in the weblog page template.

Recommendations For Apache Roller versions 5.1 through 5.1.1, consider restricting access to the weblog page template to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of Velocity Text Language (VTL) in the weblog page template to prevent the execution of arbitrary Java code.