A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.
An attacker injects crafted template expressions into the FreeMarker engine handled by XDocReport. The library processes the supplied data as template code instead of treating it as plain text, leading to interpretation and execution of embedded commands on the server side. The attack requires no authentication or user interaction, and the complexity of carrying it out is low.
Successful exploitation of the vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the server, which may lead to complete system compromise, disclosure of sensitive data, and violation of service integrity and availability.
Apply patches available from the vendor according to the references — pull request no. 705 is available in the opensagres/xdocreport GitHub repository. It is recommended to urgently update to a version containing the fix and to restrict the ability to provide external input data to template processing mechanisms.
opensagres XDocReport in versions from 1.0.0 to 2.1.0 (FreeMarker component)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpensagres Xdocreport
APPOpensagres1.0.0 – 2.1.0