An issue in the FreeMarker Filter of Magnolia CMS v6.2.17 and below allows attackers to bypass security restrictions and execute arbitrary code, read/write/move/copy/delete arbitrary files or launch DoS attacks via a crafted FreeMarker payload. Arbitrary code execution was successfully achieved via writing arbitrary JSP files.
This vulnerability was found in collaboration with Marian-Razvan Ilisanu.
The vendor's disclosure and fix for this vulnerability can be found here.
Neither me nor the vendor requested a CVE for these vulnerabilities.
More details and the exploitation process can be found in this PDF.
The "servletContenxt" SSTI gadget that results in the execution of arbitrary system commands was insired by this advisory
The H2 "INIT=RUNSCRIPT" payload was taken from this blog post
The JSP code used to execute arbitrary system commands can be found here