A Server-Side Freemarker template injection vulnerability could cause remote command execution #419
Closed
5 tasks done
Labels
vulnerability
Vulnerability
I am sure I have checked
I want to apply
In the Edit Theme File function. I can edit the ftl file. This is the freemarker template file. This file can cause arbitrary code execution when it is rendered in the background.

RCE code is
Then visit an arbitrary 404 page, this vulnerability is triggered.

such as http: //demo.halo/foo
The text was updated successfully, but these errors were encountered: