CVE-2023-49964

Name of the Vulnerable Software and Affected Versions Hyland Alfresco Community Edition versions through 7.2.0

Description The issue exists due to the failure to neutralize special elements in the folder.get.html.ftl component of the Hyland Alfresco Community Edition content management system. This allows a remote attacker to exploit the vulnerability and execute arbitrary code. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform Server-Side Template Injection (SSTI) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve Remote Code Execution (RCE).

Recommendations For Hyland Alfresco Community Edition versions through 7.2.0, consider disabling the folder.get.html.ftl component until a patch is available to prevent exploitation. Restrict access to the vulnerable folder.get.html.ftl file to minimize the risk of SSTI attacks. Avoid using the folder.get.html.ftl file in production environments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.