An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment.
{
"versions": [
{
"introduced": "6.0.0.0"
},
{
"last_affected": "6.0.1.9"
},
{
"introduced": "6.1.0.0"
},
{
"last_affected": "6.1.1.10"
},
{
"introduced": "6.2.0.0"
},
{
"last_affected": "6.2.2.18"
},
{
"introduced": "7.0.1.0"
},
{
"last_affected": "7.0.1.2"
},
{
"introduced": "0"
},
{
"last_affected": "7.0"
},
{
"introduced": "0"
},
{
"last_affected": "7.0.0.1"
},
{
"introduced": "0"
},
{
"last_affected": "7.0.0.2"
}
]
}