| 标题 | sanluan PublicCMS V4.0.202506.a, V4.0.202506.b, V5.202506.a, V5.202506.b, V5.202506.d, V6.202506.d Code Injection |
|---|
| 描述 | PublicCMS versions V4.0, V5 (through V5.202506.d), and V6 (through V6.202506.d) are vulnerable to a Server-Side Template Injection (SSTI) that leads to Remote Code Execution (RCE). The AbstractFreemarkerView.doRender() method does not sanitize the Application (ServletContext) variable exposed to FreeMarker templates. An authenticated admin user can access the Spring ApplicationContext via Application["org.springframework.web.context.WebApplicationContext.ROOT"], retrieve the FreeMarker Configuration object, disable the new_builtin_class_resolver security restriction at runtime, and execute arbitrary operating system commands via freemarker.template.utility.Execute. A secondary bypass path exists through HttpRequestHashModel.get(), which passes request.getAttribute() calls without filtering, allowing access to the ApplicationContext via Spring DispatcherServlet internal attributes. |
|---|
| 来源 | ⚠️ https://github.com/sanluan/PublicCMS/issues/113 |
|---|
| 用户 | anch0r (UID 96691) |
|---|
| 提交 | 2026-03-29 14時11分 (17 日前) |
|---|
| 管理 | 2026-04-09 14時27分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 356541 [Sanluan PublicCMS 直到 6.202506.d FreeMarker Template AbstractFreemarkerView.java AbstractFreemarkerView.doRender 权限提升] |
|---|
| 积分 | 20 |
|---|