CVE-2019-18211

Published: Dec 23, 2019Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Orckestra C1 CMS through 6.6. The EntityTokenSerializer class in Composite.dll is prone to unvalidated deserialization of wrapped BinaryFormatter payloads, leading to arbitrary remote code execution for any low-privilege user.

Affected (1)

Products: Orckestra: C1 Cms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Orckestra C1 Cms	Up to 6.6

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (2)

https://github.com/Orckestra/C1-CMS-Foundation/commits/dev

Source: cve@mitre.org

Patch

https://github.com/Orckestra/C1-CMS-Foundation/commits/dev

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.