Eforms: Freemarker template execution injection

Issue date: 04-04-2022
Affects versions: 14.7, 13.4, 12.6

Security Issue ID

SECURITY-269

Affected Product Version(s)
12.6.24, 13.4.15, 14.7.3, and previous versions

Severity

low

Description

In affected versions of brXM, it is possible for an authenticated content author to set a freemarker expression, such as "<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("cat /somefile") }" through the eforms MailFormDataPlugin, and get it executed (and emailed) each time a site visitor would submit a form.

The vulnerability is rated with low severity, since with the proper usage of document workflows and permissions, the form would require approval from an editor before such freemarker expression could be applied. Therefore, actual exploitation would require collaboration from two separate authenticated users, one of whom has at least editor level publication access.

Instructions

Update to 14.7.5, 13.4.16, 12.6.25, or later versions.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Eforms: Freemarker template execution injection