Lucene search

Veracode Vulnerability DatabaseVERACODE:41263

HistoryJul 13, 2023 - 12:29 p.m.

Deserialization Of Untrusted Data

2023-07-1312:29:30

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

deserialization

vulnerability

remote code execution

screen.php

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

68.2%

JSON

orchid/platform is vulnerable to Deserialization of Untrusted Data. The vulnerability exists due to the insecure way of using the _state parameter in Screen.php, which allows an attacker to deserialize untrusted data through the _state parameter, leading to remote code execution.

CPENameOperatorVersion
orchid/platformle14.4.0
orchid/platformle14.4.0

CPE	Name	Operator	Version
	orchid/platform	le	14.4.0
	orchid/platform	le	14.4.0

References

github.com/advisories/GHSA-ph6g-p72v-pc3p

github.com/orchidsoftware/platform/commit/b0951373bddd4ef6608f1a09549c713cc6d52c8d

github.com/orchidsoftware/platform/releases/tag/14.5.0

github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3p

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

68.2%

JSON

Related for VERACODE:41263