CVE-2021-46361: 
Java vulnerability analysis and mitigation

An issue in the Freemark Filter of Magnolia CMS v6.2.11 and below allows attackers to bypass security restrictions and execute arbitrary code via a crafted FreeMarker payload. The vulnerability was disclosed on February 11, 2022, and was assigned CVE-2021-46361. The vulnerability affects Magnolia CMS versions up to and including 6.2.11 (NVD, Magnolia Advisory).

The vulnerability exists in the FreeMarker Template parser implementation of Magnolia CMS. Despite having restrictions against dangerous elements like FreeMarker "?new" built-in and Java "class", "getClass", and "forName", the vulnerability allows bypassing these security controls. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows attackers to execute arbitrary code on the affected system through a crafted FreeMarker payload. This could lead to complete system compromise, allowing attackers to execute commands with the privileges of the web application (Github Disclosure).

The vulnerability was fixed in Magnolia CMS version 6.2.12. Users are advised to upgrade to this version or later to address the security issue. The fix was released as part of a security advisory in the 6.2.12 release (Magnolia Advisory).