Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).
CPE | Name | Operator | Version |
---|---|---|---|
crafter_cms | ge | 3.1.0 | |
crafter_cms | lt | 3.1.12 |