| 제목 | sanluan PublicCMS V4.0.202506.a, V4.0.202506.b, V5.202506.a, V5.202506.b, V5.202506.d, V6.202506.d Code Injection |
|---|
| 설명 | PublicCMS versions V4.0, V5 (through V5.202506.d), and V6 (through V6.202506.d) are vulnerable to a Server-Side Template Injection (SSTI) that leads to Remote Code Execution (RCE). The AbstractFreemarkerView.doRender() method does not sanitize the Application (ServletContext) variable exposed to FreeMarker templates. An authenticated admin user can access the Spring ApplicationContext via Application["org.springframework.web.context.WebApplicationContext.ROOT"], retrieve the FreeMarker Configuration object, disable the new_builtin_class_resolver security restriction at runtime, and execute arbitrary operating system commands via freemarker.template.utility.Execute. A secondary bypass path exists through HttpRequestHashModel.get(), which passes request.getAttribute() calls without filtering, allowing access to the ApplicationContext via Spring DispatcherServlet internal attributes. |
|---|
| 원천 | ⚠️ https://github.com/sanluan/PublicCMS/issues/113 |
|---|
| 사용자 | anch0r (UID 96691) |
|---|
| 제출 | 2026. 03. 29. PM 02:11 (19 날 ago) |
|---|
| 모더레이션 | 2026. 04. 09. PM 02:27 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 356541 [Sanluan PublicCMS 까지 6.202506.d FreeMarker Template AbstractFreemarkerView.java AbstractFreemarkerView.doRender 권한 상승] |
|---|
| 포인트들 | 20 |
|---|