A user with privileges to edit a FreeMarker template (e.g. a webscript) may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Alfresco.
Alfresco Community 6.2.0-GA (Released: 28 Nov, 2019)
Even though Alfresco does a good job limiting what objects are available to FreeMarker templates, it is still possible to find objects which can be used to bypass the FreeMarker sandbox. Deep inspection of the exposed objects' object graph allows an attacker to get access to objects that allow them to instantiate arbitrary Java objects.
This issue may lead to
Remote Code Execution.
This report was subject to the GHSL coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Munoz).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2020-039 in any communication regarding this issue.