By inserting malicious content in the Notification FTL files, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and obtain RCE (Remote Code Execution).
Note: This issue exists because of an incomplete fix for CVE-2021-25770.
The vendor's disclosure and fix for this vulnerability can be found here.
This vulnerability requires:
- Valid user credentials
More details and the exploitation process can be found in this PDF.
Awesome article by Vincent Herbulot of Synacktiv that inspired the finding of this vulnerability.
Initial vulnerability CVE-2021-25770 discovered by Vasily Vasilkov.