CVE-2023-49964
Published: 11 December 2023
Summary
CVE-2023-49964 is a high-severity Injection (CWE-74) vulnerability in Hyland Alfresco Content Services. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-49964 is a server-side template injection vulnerability in Hyland Alfresco Community Edition through version 7.2.0. The flaw resides in the folder.get.html.ftl template and stems from an incomplete remediation of CVE-2020-12873; an attacker who can insert malicious FreeMarker content can access exposed objects, bypass existing restrictions, and obtain remote code execution. The issue carries a CVSS 3.1 base score of 8.8 and is classified under CWE-74.
An authenticated user with the ability to modify folder templates can exploit the vulnerability over the network without user interaction. Successful exploitation grants the attacker full control over the application server, including the capacity to execute arbitrary commands and access sensitive data.
Public references point to the Alfresco Community Edition download page for updated builds and to a GitHub repository containing technical details of the issue. Administrators are advised to obtain the latest available packages from the vendor site and to review template-handling configurations.
The associated EPSS score has remained flat at 0.0568 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-53859
Vulnerability details
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE…
more
(Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.