Описание
XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability
A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-64087
- https://github.com/opensagres/xdocreport/pull/705
- https://github.com/opensagres/xdocreport/commit/3b35d105e5ae2006bcaa2b07563188efc466711d
- https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI-
- https://hackmd.io/@cuongnh/BJEnw7SAlg
- https://hackmd.io/@cuongnh/SkQvhEf0lx
Пакеты
Наименование
fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker
maven
Затронутые версииВерсия исправления
<= 2.1.0
Отсутствует
Связанные уязвимости
CVSS3: 9.8
nvd
18 дней назад
A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.