GHSA-gfhp-jgp6-838j

Suggest an improvement
Source
https://github.com/advisories/GHSA-gfhp-jgp6-838j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-gfhp-jgp6-838j/GHSA-gfhp-jgp6-838j.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-gfhp-jgp6-838j
Aliases
Published
2022-09-30T04:54:06Z
Modified
2023-11-01T04:59:47.774619Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.
Details

Impact

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site.

Patches

Patched in C1 CMS v6.13

Workarounds

Upgrade to C1 CMS v6.13 or newer is required

Credit

This issue was discovered and reported by Markus Wulftange / Code White GmbH.

Database specific
{
    "nvd_published_at": "2022-09-27T15:15:00Z",
    "github_reviewed_at": "2022-09-30T04:54:06Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

NuGet / CompositeC1.Core

Package

Name
CompositeC1.Core
View open source insights on deps.dev
Purl
pkg:nuget/CompositeC1.Core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.13

Affected versions

4.*

4.2.0
4.2.1
4.3.0-beta1
4.3.0

5.*

5.0.0
5.1.0
5.2.0
5.3.0
5.4.0
5.5.0

6.*

6.0.0
6.1.0
6.2.0
6.3.0
6.4.0
6.5.0
6.6.0
6.7.0
6.8.0
6.9.0
6.10.0
6.11.0
6.12.0