{"containers": {"cna": {"affected": [{"product": "C1-CMS-Foundation", "vendor": "Orckestra", "versions": [{"status": "affected", "version": "< 6.13"}]}], "descriptions": [{"lang": "en", "value": "Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-27T15:00:15.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"}], "source": {"advisory": "GHSA-gfhp-jgp6-838j", "discovery": "UNKNOWN"}, "title": "Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-39256", "STATE": "PUBLIC", "TITLE": "Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "C1-CMS-Foundation", "version": {"version_data": [{"version_value": "< 6.13"}]}}]}, "vendor_name": "Orckestra"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502: Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j", "refsource": "CONFIRM", "url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"}, {"name": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814", "refsource": "MISC", "url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"}, {"name": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13", "refsource": "MISC", "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"}]}, "source": {"advisory": "GHSA-gfhp-jgp6-838j", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.606Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:48:47.950146Z", "id": "CVE-2022-39256", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:55:22.696Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-39256", "datePublished": "2022-09-27T15:00:15.000Z", "dateReserved": "2022-09-02T00:00:00.000Z", "dateUpdated": "2025-04-23T16:55:22.696Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.606Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39256", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-23T15:48:47.950146Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:48:49.645Z"}}], "cna": {"title": "Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.", "source": {"advisory": "GHSA-gfhp-jgp6-838j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Orckestra", "product": "C1-CMS-Foundation", "versions": [{"status": "affected", "version": "< 6.13"}]}], "references": [{"url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-09-27T15:00:15.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "GHSA-gfhp-jgp6-838j", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 6.13"}]}, "product_name": "C1-CMS-Foundation"}]}, "vendor_name": "Orckestra"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j", "name": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j", "refsource": "CONFIRM"}, {"url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814", "name": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814", "refsource": "MISC"}, {"url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13", "name": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502: Deserialization of Untrusted Data"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-39256", "STATE": "PUBLIC", "TITLE": "Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-39256", "state": "PUBLISHED", "dateUpdated": "2025-04-23T16:55:22.696Z", "dateReserved": "2022-09-02T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-09-27T15:00:15.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orckestra:c1_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A68D8DD5-7126-4C18-B12C-E814965563F6", "versionEndExcluding": "6.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds."}, {"lang": "es", "value": "Orckestra C1 CMS es un sistema de administraci\u00f3n de contenidos web basado en .NET. Una vulnerabilidad en versiones anteriores a 6.13, permite a atacantes remotos ejecutar c\u00f3digo arbitrario en las instalaciones afectadas de Orckestra C1 CMS. Es requerida una autenticaci\u00f3n para explotar esta vulnerabilidad. El usuario autenticado puede llevar a cabo las acciones sin saberlo al visitar un sitio especialmente dise\u00f1ado. Este problema est\u00e1 parcheado en C1 CMS versi\u00f3n v6.13. No se presentan mitigaciones conocidas"}], "id": "CVE-2022-39256", "lastModified": "2024-11-21T07:17:53.527", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-27T15:15:09.373", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}