CVE-2020-26118

Published: Jan 11, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system.

Affected (1)

Products: Smartbear: Collaborator

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Smartbear Collaborator	Up to 13.3.13302

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (6)

https://support.smartbear.com/collaborator/docs/general-info/version-history/ver-13/ver-13-0.html

Source: cve@mitre.org

Release NotesVendor Advisory

https://support.smartbear.com/collaborator/docs/general-info/whats-new.html

Source: cve@mitre.org

Release NotesVendor Advisory

https://support.smartbear.com/collaborator/docs/server/index.html

Source: cve@mitre.org

ProductVendor Advisory

https://support.smartbear.com/collaborator/docs/general-info/version-history/ver-13/ver-13-0.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://support.smartbear.com/collaborator/docs/general-info/whats-new.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://support.smartbear.com/collaborator/docs/server/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.