An issue was discovered in Hyland Alfresco Community Edition <=7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution).
Note: This issue exists because of an incomplete fix for CVE-2020-12873.
The disclosure for this vulnerability can be found here.
This vulnerability requires:
- Valid user credentials
More details and the exploitation process can be found in this PDF.
Initial vulnerability (CVE-2020-12873) and blogpost by Alvaro "pwntester" Munoz that inspired the SSTI research and finding of this vulnerability.
SSTI Case study: Alfresco by PortSwigger Research
The SSTI gadget used to escape the FreeMarker sandbox was inspired from this article by Vincent Herbulot of Synacktiv
- This vulnerability was initially reported to security@alfresco.com on 22-Feb-2022
- Hyland reached out and the report was resubmitted to appsecurity@Hyland.com on 07-Apr-2022
- Retested the vulnerability on 19-Jan-2023 and noticed that the vulnerability was fixed and the vendor decided to silently patch it (no advisory, no CVE, no communication)
- Publically disclosed the vulnerability on 09-Dec-2023