CVE-2022-39256 - OpenCVE

Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Orckestra	C1 Cms

Configuration 1 [-]

cpe:2.3:a:orckestra:c1_cms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Orckestra/C1-CMS-Foundation/pull/814
https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13
https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-27T15:00:15

Updated: 2024-08-03T12:00:43.606Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39256

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-27T15:15:09.373

Modified: 2022-09-30T23:28:44.640

Link: CVE-2022-39256

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "C1-CMS-Foundation", "vendor": "Orckestra", "versions": [{"status": "affected", "version": "< 6.13"}]}], "descriptions": [{"lang": "en", "value": "Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-27T15:00:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"}], "source": {"advisory": "GHSA-gfhp-jgp6-838j", "discovery": "UNKNOWN"}, "title": "Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-39256", "STATE": "PUBLIC", "TITLE": "Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "C1-CMS-Foundation", "version": {"version_data": [{"version_value": "< 6.13"}]}}]}, "vendor_name": "Orckestra"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502: Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j", "refsource": "CONFIRM", "url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"}, {"name": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814", "refsource": "MISC", "url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"}, {"name": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13", "refsource": "MISC", "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"}]}, "source": {"advisory": "GHSA-gfhp-jgp6-838j", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.606Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-39256", "datePublished": "2022-09-27T15:00:15", "dateReserved": "2022-09-02T00:00:00", "dateUpdated": "2024-08-03T12:00:43.606Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:orckestra:c1_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A68D8DD5-7126-4C18-B12C-E814965563F6", "versionEndExcluding": "6.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds."}, {"lang": "es", "value": "Orckestra C1 CMS es un sistema de administraci\u00f3n de contenidos web basado en .NET. Una vulnerabilidad en versiones anteriores a 6.13, permite a atacantes remotos ejecutar c\u00f3digo arbitrario en las instalaciones afectadas de Orckestra C1 CMS. Es requerida una autenticaci\u00f3n para explotar esta vulnerabilidad. El usuario autenticado puede llevar a cabo las acciones sin saberlo al visitar un sitio especialmente dise\u00f1ado. Este problema est\u00e1 parcheado en C1 CMS versi\u00f3n v6.13. No se presentan mitigaciones conocidas"}], "id": "CVE-2022-39256", "lastModified": "2022-09-30T23:28:44.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-27T15:15:09.373", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/pull/814"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}