CVE-2022-39256
published 2022-09-27CVE-2022-39256: Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on…
PriorityP348high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
1.18%
63.9th percentile
Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orckestra | c1-cms-foundation | < 6.13 | 6.13 |
| orckestra | c1_cms | < 6.13 | 6.13 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.
ghsa·2022-09-30
CVE-2022-39256 [CRITICAL] CWE-502 Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.
Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.
### Impact
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS.
Authentication is required to exploit this vulnerability.
The authenticated user may perform the actions unknowingly by visiting a specially crafted site.
### Patches
Patched in C1 CMS v6.13
### Workarounds
Upgrade to C1 CMS v6.13 or newer is required
### Credit
This issue was discovered and reported by Markus Wulftange / [Code White GmbH](https://code-white.com/en/).
OSV
Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.
osv·2022-09-30
CVE-2022-39256 [CRITICAL] Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.
Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.
### Impact
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS.
Authentication is required to exploit this vulnerability.
The authenticated user may perform the actions unknowingly by visiting a specially crafted site.
### Patches
Patched in C1 CMS v6.13
### Workarounds
Upgrade to C1 CMS v6.13 or newer is required
### Credit
This issue was discovered and reported by Markus Wulftange / [Code White GmbH](https://code-white.com/en/).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/Orckestra/C1-CMS-Foundation/pull/814https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838jhttps://github.com/Orckestra/C1-CMS-Foundation/pull/814https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j
2022-09-27
Published