OpenSAGRES XDocReport FreeMarker Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A Server-Side Template Injection (SSTI) vulnerability has been identified in the FreeMarker component of OpenSAGRES XDocReport, affecting versions 1.0.0 through 2.1.0. This vulnerability allows attackers to execute arbitrary code by injecting crafted template expressions into DOCX files. The issue arises because the application processes these files using the FreeMarker template engine without proper input validation or filtering, enabling remote code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the application is running.

Reproduction

To reproduce this vulnerability, upload a DOCX file containing a payload that exploits the SSTI vulnerability, such as one that uses the FreeMarker 'Execute' utility to run a command like 'whoami' or 'calc'. After the file is processed by the application, the injected command will be executed on the server, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can update to the latest version of OpenSAGRES XDocReport, where this vulnerability has been addressed. Instructions for updating can be found in the project's documentation.