CVE-2018-19907: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

December 19, 2018 (updated September 7, 2021)

A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page.

References

github.com/advisories/GHSA-9fcp-vcq9-9h2h
github.com/craftercms/craftercms/issues/2677
nvd.nist.gov/vuln/detail/CVE-2018-19907

Code Behaviors & Features

Detect and mitigate CVE-2018-19907 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →