An issue in the FreeMarker Filter of Magnolia CMS v6.2.16 and below allows attackers to bypass security restrictions and read/write/move/copy/delete arbitrary files via a crafted FreeMarker payload. Arbitrary code execution was successfully achieved via writing arbitrary JSP files.

The vendor's disclosure and fix for this vulnerability can be found here.

Neither me nor the vendor requested a CVE for these vulnerabilities.

More details and the exploitation process can be found in this PDF.

The JSP code used to execute arbitrary system commands can be found here