8.8

CVE-2019-18211

EPSS 2.81%
Veröffentlicht 23.12.2019 23:15:12
Zuletzt bearbeitet 21.11.2024 04:32:50
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Orckestra C1 CMS through 6.6. The EntityTokenSerializer class in Composite.dll is prone to unvalidated deserialization of wrapped BinaryFormatter payloads, leading to arbitrary remote code execution for any low-privilege user.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Orckestra ≫ C1 Cms Version <= 6.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.81%	0.856

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/Orckestra/C1-CMS-Foundation/commits/dev

Patch

https://nvd.nist.gov/vuln/detail/CVE-2019-18211

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-18211

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-18211

EUVD