Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for C1 CMS by Orckestra

    CVE-2021-34992 (GCVE-0-2021-34992)

    Vulnerability from nvd – Published: 2021-11-15 15:40 – Updated: 2024-08-04 00:26
    VLAI
    Summary
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Orckestra C1 CMS Affected: 6.10
    Create a notification for this product.
    Credits
    Le Ngoc Anh - Sun* Cyber Security Research Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:26:55.827Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1304/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.11"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "C1 CMS",
              "vendor": "Orckestra",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.10"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Le Ngoc Anh - Sun* Cyber Security Research Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-13T21:44:44.000Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1304/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.11"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "zdi-disclosures@trendmicro.com",
              "ID": "CVE-2021-34992",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "C1 CMS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "6.10"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Orckestra"
                  }
                ]
              }
            },
            "credit": "Le Ngoc Anh - Sun* Cyber Security Research Team",
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740."
                }
              ]
            },
            "impact": {
              "cvss": {
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502: Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-1304/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1304/"
                },
                {
                  "name": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.11",
                  "refsource": "MISC",
                  "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.11"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2021-34992",
        "datePublished": "2021-11-15T15:40:18.000Z",
        "dateReserved": "2021-06-17T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:26:55.827Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-34992 (GCVE-0-2021-34992)

    Vulnerability from cvelistv5 – Published: 2021-11-15 15:40 – Updated: 2024-08-04 00:26
    VLAI
    Summary
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Orckestra C1 CMS Affected: 6.10
    Create a notification for this product.
    Credits
    Le Ngoc Anh - Sun* Cyber Security Research Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:26:55.827Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1304/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.11"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "C1 CMS",
              "vendor": "Orckestra",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.10"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Le Ngoc Anh - Sun* Cyber Security Research Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-13T21:44:44.000Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1304/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.11"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "zdi-disclosures@trendmicro.com",
              "ID": "CVE-2021-34992",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "C1 CMS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "6.10"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Orckestra"
                  }
                ]
              }
            },
            "credit": "Le Ngoc Anh - Sun* Cyber Security Research Team",
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740."
                }
              ]
            },
            "impact": {
              "cvss": {
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502: Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-1304/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1304/"
                },
                {
                  "name": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.11",
                  "refsource": "MISC",
                  "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.11"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2021-34992",
        "datePublished": "2021-11-15T15:40:18.000Z",
        "dateReserved": "2021-06-17T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:26:55.827Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }