9.8

CVE-2023-36825

EPSS 5.41%
Veröffentlicht 11.07.2023 18:15:20
Zuletzt bearbeitet 21.11.2024 08:10:40
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Orchid ≫ Platform Version >= 14.0.1 < 14.5.0

Orchid ≫ Platform Version14.0.0 Update-

Orchid ≫ Platform Version14.0.0 Updatealpha4

Orchid ≫ Platform Version14.0.0 Updatealpha5

Orchid ≫ Platform Version14.0.0 Updatealpha6

Orchid ≫ Platform Version14.0.0 Updatealpha7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	5.41%	0.897

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/orchidsoftware/platform/releases/tag/14.5.0

Release Notes

https://github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3p

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-36825

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-36825

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-36825

EUVD