{"id":"CVE-2021-41790","details":"An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment.","modified":"2026-04-11T12:38:11.464306Z","published":"2021-10-21T09:15:08.790Z","database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:alfresco:alfresco_content_services:*:*:*:*:enterprise:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"5.0.0.0"},{"last_affected":"5.2.7.11"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/Alfresco/acs-packaging/blob/master/DISCLOSURES.md"},{"type":"ADVISORY","url":"https://www.themissinglink.com.au/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/alfresco/acs-packaging","events":[{"introduced":"0"},{"last_affected":"e9bae6e3c6af20208a697b7ef4e5f110dd56a7c4"},{"last_affected":"8ea44bf3922ae822e2d24bbdd2228d40bd4a329d"},{"last_affected":"ea5589d79b32f9e9f8087d4c7c2662c5a76b9b56"},{"last_affected":"8a40491d57bb13b63e8b44c90f3f34862c218515"},{"last_affected":"d1378318882c7158649adbf6188758c2e366e33f"},{"last_affected":"22d2c23047944aa6df8edada069b6e78b8b7f598"},{"last_affected":"99eb094d4fa2b75cd736555d8cd8dec05bea5813"}],"database_specific":{"cpe":["cpe:2.3:a:alfresco:alfresco_content_services:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:alfresco:alfresco_content_services:7.0:*:*:*:enterprise:*:*:*","cpe:2.3:a:alfresco:alfresco_content_services:7.0.0.1:*:*:*:enterprise:*:*:*","cpe:2.3:a:alfresco:alfresco_content_services:7.0.0.2:*:*:*:enterprise:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"6.0.0.0"},{"last_affected":"6.0.1.9"},{"introduced":"6.1.0.0"},{"last_affected":"6.1.1.10"},{"introduced":"6.2.0.0"},{"last_affected":"6.2.2.18"},{"introduced":"7.0.1.0"},{"last_affected":"7.0.1.2"},{"introduced":"0"},{"last_affected":"7.0"},{"last_affected":"7.0.0.1"},{"last_affected":"7.0.0.2"}]}}],"versions":["6.0.1.7","6.0.1.8","6.0.1.9","6.1.1.10","6.1.1.8","6.1.1.9","6.2.2.10","6.2.2.11","6.2.2.12","6.2.2.13","6.2.2.14","6.2.2.15","6.2.2.16","6.2.2.17","6.2.2.18","6.2.2.4","6.2.2.5","6.2.2.6","6.2.2.7","6.2.2.8","6.2.2.9","7.0.0","7.0.0-A11","7.0.0-A12","7.0.0-A13","7.0.0-A14","7.0.0-A15","7.0.0-A16","7.0.0-A17","7.0.0-A20","7.0.0-A22","7.0.0-A23","7.0.0-A24","7.0.0-A25","7.0.0-A26","7.0.0-A27","7.0.0-A28","7.0.0-A29","7.0.0-A30","7.0.0-A9","7.0.0-M3","7.0.0.1","7.0.1","7.0.1-A1","7.0.1-A4","7.0.1-A5","7.0.1-A6","7.0.1.1","7.0.1.2","acs-packaging-6.0.0","acs-packaging-6.0.0-EA1","acs-packaging-6.0.0-RC1","acs-packaging-6.0.0-RC2","acs-packaging-6.0.0-RC3","acs-packaging-6.0.0-RC4","acs-packaging-6.0.0-RC5","acs-packaging-6.0.0-RC6","acs-packaging-6.0.0-testRC3","acs-packaging-6.0.0-testRc4","acs-packaging-6.0.0-testRc6","acs-packaging-6.0.0-testRc7","acs-packaging-6.0.1","acs-packaging-6.0.1.1","acs-packaging-6.0.1.1-RC1","acs-packaging-6.0.1.2","acs-packaging-6.0.1.3","acs-packaging-6.0.1.4","acs-packaging-6.0.1.5","acs-packaging-6.0.1.6","acs-packaging-6.1.0-A1","acs-packaging-6.1.0-A2","acs-packaging-6.1.0-EA1","acs-packaging-6.1.0-EA2","acs-packaging-6.1.0-EA3","acs-packaging-6.1.0-RC2","acs-packaging-6.1.1","acs-packaging-6.1.1-RC1","acs-packaging-6.1.1-RC2","acs-packaging-6.1.1-RC3","acs-packaging-6.1.1.1","acs-packaging-6.1.1.2","acs-packaging-6.1.1.3","acs-packaging-6.1.1.4","acs-packaging-6.2.0-A1","acs-packaging-6.2.0-A2","acs-packaging-6.2.0-A3","acs-packaging-6.2.0-A4","acs-packaging-6.2.0-A5","acs-packaging-6.2.0-A6","acs-packaging-6.2.0-A7","acs-packaging-6.2.0-A8","acs-packaging-6.2.0-RC1","acs-packaging-6.2.0-RC2","acs-packaging-6.2.0-RC3","acs-packaging-6.2.1-A1","acs-packaging-6.2.1-A2","acs-packaging-6.2.1-A3","acs-packaging-6.2.1-A4","acs-packaging-6.2.1-RC1","acs-packaging-6.2.1-RC2","acs-packaging-6.2.1-RC3","acs-packaging-6.2.1-RC4","acs-packaging-6.2.1-RC5","acs-packaging-6.2.1-RC6","acs-packaging-6.2.2","acs-packaging-6.2.2-A1","acs-packaging-6.2.2-A2","acs-packaging-6.2.2-RC1","acs-packaging-6.2.2.1","acs-packaging-6.2.2.2","acs-packaging-6.3.0-A1","acs-packaging-6.3.0-A10","acs-packaging-6.3.0-A11","acs-packaging-6.3.0-A3","acs-packaging-6.3.0-A4","acs-packaging-6.3.0-A5","acs-packaging-6.3.0-A7","acs-packaging-6.3.0-A8","acs-packaging-6.3.0-A9","acs-packaging-7.0.0-A1","acs-packaging-7.0.0-A2","acs-packaging-7.0.0-A3","acs-packaging-7.0.0-A4","acs-packaging-7.0.0-A5","acs-packaging-7.0.0-A6","acs-packaging-7.0.0-A7","acs-packaging-7.0.0-A8","acs-packaging-7.0.0-M1","acs-packaging-7.0.0-M2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41790.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}