Описание
Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).
Ссылки
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 3.1.0 (включая) до 3.1.12 (исключая)
cpe:2.3:a:craftercms:crafter_cms:*:*:*:*:*:*:*:*
EPSS
Процентиль: 52%
0.00292
Низкий
4.2 Medium
CVSS3
7.2 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-913
CWE-913
Связанные уязвимости
github
около 4 лет назад
Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).
EPSS
Процентиль: 52%
0.00292
Низкий
4.2 Medium
CVSS3
7.2 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-913
CWE-913