CVE-2018-19907

Vulnerability

A Server-Side Template Injection (SSTI) vulnerability exists in Crafter CMS version 3.0.18. Attackers with developer privileges can inject malicious FreeMarker code into .ftl template files. The vulnerability is triggered when the template is rendered, calling freemarker.template.utility.Execute, leading to arbitrary OS command execution. [2][4]

Exploitation

An attacker must have developer-level access to create or modify a template file (.ftl extension). By injecting FreeMarker code that invokes the Execute utility, such as <#assign ex = "freemarker.template.utility.Execute"?new()>${ex("command")}, the attacker can execute arbitrary OS commands when the page is rendered. The exploit requires no additional user interaction beyond viewing the affected page. [4]

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the server, potentially leading to full system compromise, data exfiltration, or lateral movement within the network. The attack is executed in the context of the Crafter CMS application user, typically with high privileges. [2][3]

Mitigation

As of the available references, no official patch has been released for CVE-2018-19907. Users are advised to restrict developer privileges to trusted individuals, monitor template file modifications, and consider applying principle of least privilege. Upgrading to a later version of Crafter CMS may include a fix, but no specific version is mentioned in the provided references. [3]