/
GHSA-gfhp-jgp6-838j.json
73 lines (73 loc) · 2.19 KB
/
GHSA-gfhp-jgp6-838j.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
{
"schema_version": "1.4.0",
"id": "GHSA-gfhp-jgp6-838j",
"modified": "2022-11-01T12:56:34Z",
"published": "2022-09-30T04:54:06Z",
"aliases": [
"CVE-2022-39256"
],
"summary": "Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.",
"details": "### Impact\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. \nAuthentication is required to exploit this vulnerability.\nThe authenticated user may perform the actions unknowingly by visiting a specially crafted site.\n\n### Patches\nPatched in C1 CMS v6.13\n\n### Workarounds\nUpgrade to C1 CMS v6.13 or newer is required\n\n### Credit\nThis issue was discovered and reported by Markus Wulftange / [Code White GmbH](https://code-white.com/en/).\n",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
}
],
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "CompositeC1.Core"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "6.13"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39256"
},
{
"type": "WEB",
"url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"
},
{
"type": "WEB",
"url": "https://github.com/Orckestra/C1-CMS-Foundation/commit/af856ab5a62d19acf6aea1b1f4c6c3c4985c9446"
},
{
"type": "PACKAGE",
"url": "https://github.com/Orckestra/C1-CMS-Foundation"
},
{
"type": "WEB",
"url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"
}
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"severity": "CRITICAL",
"github_reviewed": true,
"github_reviewed_at": "2022-09-30T04:54:06Z",
"nvd_published_at": "2022-09-27T15:15:00Z"
}
}