CVE-2023-36825

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-36825

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36825.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-36825

Aliases

GHSA-ph6g-p72v-pc3p

Published

2023-07-11T17:49:23.557Z

Modified

2026-04-02T09:10:28.650418Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Orchid Deserialization of Untrusted Data vulnerability leads to Remote Code Execution

Details

Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the _state query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/36xxx/CVE-2023-36825.json"
}

References

Affected packages

Git / github.com/orchidsoftware/platform

Affected ranges

Type: GIT
Repo: https://github.com/orchidsoftware/platform
Events: Introduced

b2cab58ccca15e9749bffb9aa7a08991c2870e63

Fixed

b174ab991959e409f0a6adb5b52cecf8c7db136f

Affected versions

14.*

14.0.0

14.0.0-alpha4

14.0.0-alpha5

14.0.0-alpha6

14.0.0-alpha7

14.0.1

14.0.2

14.0.3

14.1.0

14.1.1

14.2.0

14.2.1

14.3.0

14.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36825.json"