CVE-2021-34992

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-34992
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-34992.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-34992
Published
2021-11-15T16:15:09.617Z
Modified
2026-04-10T04:34:59.475051Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740.

References

Affected packages

Git / github.com/orckestra/c1-cms-foundation

Affected ranges

Type
GIT
Repo
https://github.com/orckestra/c1-cms-foundation
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b918360aba84ef648ab607d9cbfb3ddf7bd815c5
Fixed
d051f94701af2e9d20486bc2fcf30178e66e47c3
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.10"
        }
    ]
}

Affected versions

5.*
5.2
v2.*
v2.0
v2.1
v2.1.1
v3.*
v3.0
v3.1
v3.2
v4.*
v4.0
v4.1
v4.2
v4.2-update.1
v4.3
v5.*
v5.0
v5.0-beta.1
v5.1
v5.3
v5.4
v5.5
v6.*
v6.0
v6.1
v6.10
v6.2
v6.3
v6.4
v6.5
v6.6
v6.7
v6.8
v6.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-34992.json"