CVE-2018-19907

HIGH

Crafter CMS 3.0.18 - Command Injection

Title source: llm
STIX 2.1

Description

A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS commands by Creating/Editing a template file (.ftl filetype) that triggers a call to freemarker.template.utility.Execute in the FreeMarker library during rendering of a web page.

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0169
EPSS Percentile 74.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
craftercms/crafter_cms < 3.0.18
org.craftercms/crafter-studio 0Maven
Published Dec 06, 2018
Tracked Since Feb 18, 2026