Cyber Resilience

CVE-2023-49964

High

Published: 11 December 2023

Published
11 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0568 90.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-49964 is a high-severity Injection (CWE-74) vulnerability in Hyland Alfresco Content Services. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-49964 is a server-side template injection vulnerability in Hyland Alfresco Community Edition through version 7.2.0. The flaw resides in the folder.get.html.ftl template and stems from an incomplete remediation of CVE-2020-12873; an attacker who can insert malicious FreeMarker content can access exposed objects, bypass existing restrictions, and obtain remote code execution. The issue carries a CVSS 3.1 base score of 8.8 and is classified under CWE-74.

An authenticated user with the ability to modify folder templates can exploit the vulnerability over the network without user interaction. Successful exploitation grants the attacker full control over the application server, including the capacity to execute arbitrary commands and access sensitive data.

Public references point to the Alfresco Community Edition download page for updated builds and to a GitHub repository containing technical details of the issue. Administrators are advised to obtain the latest available packages from the vendor site and to review template-handling configurations.

The associated EPSS score has remained flat at 0.0568 with no material increase since disclosure.

EU & UK References

Vulnerability details

An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE…

more

(Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hyland
alfresco content services
≤ 7.2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References