Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-49964 PoC — Alfresco Community Edition 安全漏洞

Source
https://github.com/mbadanoiu/CVE-2023-49964
Associated Vulnerability
Title:Alfresco Community Edition 安全漏洞 (CVE-2023-49964)
Description:Alfresco Community Edition是美国Alfresco公司的一套开源的企业内容管理系统的社区版。该系统包括文档管理、办公协作等功能。 Alfresco Community Edition 7.2.0 及之前版本存在安全漏洞,该漏洞源于可以通过folder.get.html.ftl文件插入恶意内容,攻击者利用该漏洞可能会执行服务器端模板注入。
Description
CVE-2023-49964: FreeMarker Server-Side Template Injection in Alfresco
Readme
# CVE-2023-49964: FreeMarker Server-Side Template Injection in Alfresco

An issue was discovered in Hyland Alfresco Community Edition <=7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution).

<strong>Note:</strong> This issue exists because of an incomplete fix for CVE-2020-12873.

### NVD Disclosure:

The disclosure for this vulnerability can be found [here](https://nvd.nist.gov/vuln/detail/CVE-2023-49964).

### Requirements:

This vulnerability requires:
<br/>
- Valid user credentials

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2023-49964/blob/main/Alfresco%20-%20CVE-2023-49964.pdf).

### Additional Resources:

Initial [vulnerability (CVE-2020-12873)](https://nvd.nist.gov/vuln/detail/CVE-2020-12873) and [blogpost](https://securitylab.github.com/advisories/GHSL-2020-039-alfresco/) by [Alvaro "pwntester" Munoz](https://github.com/pwntester) that inspired the SSTI research and finding of this vulnerability.

[SSTI Case study: Alfresco](https://portswigger.net/research/server-side-template-injection) by PortSwigger Research

The SSTI gadget used to escape the FreeMarker sandbox was inspired from this [article](https://www.synacktiv.com/publications/exploiting-cve-2021-25770-a-server-side-template-injection-in-youtrack) by [Vincent Herbulot of Synacktiv](https://www.synacktiv.com/en/our-team/pentest)

### Timeline:

- This vulnerability was initially reported to security@alfresco.com on 22-Feb-2022
- Hyland reached out and the report was resubmitted to appsecurity@Hyland.com on 07-Apr-2022
- Retested the vulnerability on 19-Jan-2023 and noticed that the vulnerability was fixed and the vendor decided to silently patch it (no advisory, no CVE, no communication)
- Publically disclosed the vulnerability on 09-Dec-2023
File Snapshot

 [4.0K]  /data/pocs/bc629bd486915d5b381f34f5377a6cab61736a7a
├── [947K]  Alfresco - CVE-2023-49964.pdf
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.