1024-lab SmartAdmin Server-Side Template Injection Vulnerability

A server-side template injection vulnerability has been identified in 1024-lab/lab1024 SmartAdmin versions through 3.29. This issue arises in the email template rendering functionality, which utilizes the Apache FreeMarker template engine. The vulnerability is located in the 'freemarkerResolverContent' function of 'MailService.java'. An attacker with access to modify the 'template_content' field in the 't_mail_template' table can inject arbitrary FreeMarker expressions. These injected expressions are executed on the server when the email is sent, potentially leading to remote code execution with the application's server privileges, and allowing complete system compromise.

Impact

Exploitation of this vulnerability allows for server-side template injection, with the potential for remote code execution on the application server.

Reproduction

To reproduce this vulnerability, an attacker must have the ability to modify the 'template_content' field in the 't_mail_template' table. Once this access is obtained, arbitrary FreeMarker expressions can be injected into the template content. When an email is sent using the modified template, the injected expressions are executed on the server, leading to code execution.