CraftCMS Freeform Server-Side Template Injection Vulnerability Allowing Arbitrary Code Execution
Vulnerability
A server-side template injection (SSTI) vulnerability has been identified in the CraftCMS Freeform plugin, specifically in versions 5.0.0 prior to 5.10.16. This vulnerability allows arbitrary code execution for users who can edit a form's submission title. The issue arises because the Freeform plugin's implementation of the 'call' filter in Twig does not properly validate user input.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the server where CraftCMS is hosted.
Reproduction
To reproduce this vulnerability, create a form and set a submission title that includes a crafted Twig expression. This expression should use the 'call' filter to execute a system command, such as a curl request to a remote server. After saving the form, include it in a template and submit it. The executed command will trigger an HTTP request to the specified server, confirming the execution.
Remediation
Users can update to CraftCMS Freeform version 5.10.16 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.