Lucene search

TwcertCVELIST:CVE-2022-35223

HistoryAug 02, 2022 - 3:21 p.m.

CVE-2022-35223 EasyUse MailHunter Ultimate - Deserialization of Untrusted Data

2022-08-0215:21:11

CWE-502

twcert

www.cve.org

easyuse mailhunter ultimate

cookie deserialization

vulnerability

malicious payload

unauthenticated remote attacker

execute arbitrary code

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.004

Percentile

73.5%

JSON

EasyUse MailHunter Ultimate’s cookie deserialization function has an inadequate validation vulnerability. Deserializing a cookie containing malicious payload will trigger this insecure deserialization vulnerability, allowing an unauthenticated remote attacker to execute arbitrary code, manipulate system command or interrupt service.

CNA Affected

[
  {
    "product": "MailHunter Ultimate",
    "vendor": "EasyUse",
    "versions": [
      {
        "lessThanOrEqual": "2020",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.chtsecurity.com/news/a381467e-74ff-4a8c-a4d3-fc86720f5400

www.twcert.org.tw/tw/cp-132-6365-b056c-1.html

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.004

Percentile

73.5%

JSON

Related for CVELIST:CVE-2022-35223