CVE-2020-21523

Name of the Vulnerable Software and Affected Versions halo CMS version 1.1.3

Description A Server-Side Freemarker template injection issue exists in the Edit Theme File function, where the ftl file can be edited. This Freemarker template file can cause arbitrary code execution when rendered in the background. An example of exploitation is through the assignment and execution of a specific command, such as creating a file named "freemarkerPwned" in the /tmp directory.

Recommendations For halo CMS version 1.1.3, as a temporary workaround, consider restricting access to the Edit Theme File function to minimize the risk of exploitation. Additionally, avoid editing the ftl file directly until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.