CVE-2023-49964
CVE-2023-49964 is a high-severity vulnerability in Hyland Alfresco Content Services with a CVSS 3.x base score of 8.8. Its EPSS exploit-prediction score of 35% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-74.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- EPSS exploit prediction: 35% (98th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-74
- Affected product: Hyland Alfresco Content Services
- Published:
- Last modified:
Description
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.
Frequently asked questions
- What is CVE-2023-49964?
- An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.
- How severe is CVE-2023-49964?
- CVE-2023-49964 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-49964 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 35% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-49964?
- CVE-2023-49964 affects Hyland Alfresco Content Services. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-49964?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-49964 published?
- CVE-2023-49964 was published on 2023-12-11 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:hyland:alfresco_content_services:*:*:*:*:community:*:*:*
More vulnerabilities in Hyland Alfresco Content Services
- CVE-2026-26336 — High (CVSS 7.5): Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via…
- CVE-2024-40347 — Medium (CVSS 6.1): A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute…
All CVEs affecting Hyland Alfresco Content Services →
Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities
- CVE-2026-25586 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty…
- CVE-2026-25520 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped.…
- CVE-2025-20265 — Critical (CVSS 10.0): A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2025-20337 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-20281 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2024-42472 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious…
Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →