PT-2020-16221 · Apache+1 · Freemarker+1

Alvaro Muñoz

Published

2020-10-06

Updated

2022-02-09

CVE-2020-25803

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Crafter Software Crafter CMS versions prior to 3.0.27 Crafter Software Crafter CMS versions prior to 3.1.7

Description The issue allows authenticated developers to execute OS commands via FreeMarker template exposed objects due to improper control of dynamically-managed code resources in Crafter Studio of Crafter CMS.

Recommendations For versions prior to 3.0.27, update to version 3.0.27 or later. For versions prior to 3.1.7, update to version 3.1.7 or later. As a temporary workaround, consider restricting access to the FreeMarker template exposed objects until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-913

Related Identifiers

CVE-2020-25803

GHSA-8786-WG74-F522

Affected Products

Crafter Cms

Freemarker

PT-2020-16221 · Apache+1 · Freemarker+1

CVE-2020-25803

Weakness Enumeration

Related Identifiers

Affected Products

References · 5