Eforms: Freemarker template execution injection 

Issue date: 04-04-2022
Affects versions: 14.7, 13.4, 12.6

Security Issue ID



Affected Product Version(s)
12.6.24, 13.4.15, 14.7.3, and previous versions




In affected versions of brXM, it is possible for an authenticated content author to set a freemarker expression, such as "<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("cat /somefile") }" through the eforms MailFormDataPlugin, and get it executed (and emailed) each time a site visitor would submit a form.

The vulnerability is rated with low severity, since with the proper usage of document workflows and permissions, the form would require approval from an editor before such freemarker expression could be applied. Therefore, actual exploitation would require collaboration from two separate authenticated users, one of whom has at least editor level publication access.


Update to 14.7.5, 13.4.16, 12.6.25, or later versions.