skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
August 19, 2020

GHSL-2020-076: Server-Side Template Injection in Cascade CMS

Alvaro Munoz


A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Cascade CMS.


Cascade CMS

Tested Version

Cascade CMS v8.14.cloud5 (57164371131571924e45d18fbd2725f3d8d124d4)


Server-Side Template Injection (Velocity)

Cascade CMS does not use the Velocity SecureUberspector, which allows attackers that are able to modify or create templates to execute arbitrary Java code and achieve remote code execution. For example the following template will run the system id command:

##### $scriptEngine = $currentPage.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js') )
${scriptEngine.eval("var x=new java.lang.ProcessBuilder('id');")}

In addition, Cascade CMS exposes Velocity FieldTool through the $_FieldTool variable. This tool allows accessing any public static field on any class reachable by the Velocity ClassLoader.


This issue may lead to Remote Code Execution.

Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @pwntester (Alvaro Munoz).


You can contact the GHSL team at, please include the GHSL-2020-076 in any communication regarding this issue.