CVE-2022-39256

EPSS 1.18%
Veröffentlicht 27.09.2022 15:15:09
Zuletzt bearbeitet 21.11.2024 07:17:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.

Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Orckestra ≫ C1 Cms Version < 6.13

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.18%	0.637

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8	2.1	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	9	2.3	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/Orckestra/C1-CMS-Foundation/pull/814

Patch

Third Party Advisory

https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13

Third Party Advisory

Release Notes

https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-39256

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-39256

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-39256

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-39256