By inserting malicious content in a message’s “Subject” field, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and obtain RCE (Remote Code Execution).
Note: Although this vulnerability requires a valid user’s interaction to trigger the SSTI, the malicious payload can be sent by any unauthenticated attacker that creates an e-commerce account.
The vendor's disclosure and fix for this vulnerability can be found here.
This vulnerability requires:
- Registering a new user or valid user credentials
- User interaction of a administrative user
More details and the exploitation process can be found in this PDF.
Initial vulnerability GHSL-2020-070 and blogpost by Alvaro "pwntester" Munoz that inspired the SSTI research and finding of this vulnerability.