CVE-2022-39256 – compositec1.core

Package

Manager: nuget
Name: compositec1.core
Vulnerable Version: >=0 <6.13

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01445 pctl0.80003

Details

Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution. ### Impact This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. ### Patches Patched in C1 CMS v6.13 ### Workarounds Upgrade to C1 CMS v6.13 or newer is required ### Credit This issue was discovered and reported by Markus Wulftange / [Code White GmbH](https://code-white.com/en/).

Metadata

Created: 2022-09-30T04:54:06Z
Modified: 2022-11-01T12:56:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-gfhp-jgp6-838j/GHSA-gfhp-jgp6-838j.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-gfhp-jgp6-838j
Finding: F096
Auto approve: 1