CVE-2021-41790

HIGH

Hyland org.alfresco:alfresco-content-services <7.0.1.2 - RCE

Title source: llm

Description

An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://www.themissinglink.com.au/

Third Party Advisory x_refsource_misc

https://github.com/Alfresco/acs-packaging/blob/master/DISCLOSURES.md

View Writeup ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0085

EPSS Percentile 75.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (4)

alfresco/alfresco_content_services 7.0

alfresco/alfresco_content_services 7.0.0.1

alfresco/alfresco_content_services 7.0.0.2

alfresco/alfresco_content_services 5.0.0.0 - 5.2.7.11

Published Oct 21, 2021

Tracked Since Feb 18, 2026