Arbitrary Code Execution Affecting org.craftercms:crafter-engine Open this link in a new tab package, versions [,3.1.0)
Do your applications use this vulnerable package?
8 Sep 2021
19 Dec 2018
How to fix?
org.craftercms:crafter-engine to version 3.1.0 or higher.
org.craftercms:crafter-engine is a Crafter Content Delivery Engine.
Affected versions of this package are vulnerable to Arbitrary Code Execution. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to
freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page.