CVE-2023-36825
published 2023-07-11CVE-2023-36825: Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present…
PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.95%
56.9th percentile
Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orchid | platform | — | — |
| orchid | platform | >= 14.0.0-alpha4 < 14.5.0 | 14.5.0 |
| orchid | platform | >= 14.0.1 < 14.5.0 | 14.5.0 |
| orchidsoftware | platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Orchid Deserialization of Untrusted Data vulnerability leads to Remote Code Execution
osv·2023-07-11
CVE-2023-36825 [CRITICAL] Orchid Deserialization of Untrusted Data vulnerability leads to Remote Code Execution
Orchid Deserialization of Untrusted Data vulnerability leads to Remote Code Execution
Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards.
### Impact
A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. This vulnerability is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution.
### Patches
The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.
#
GHSA
Orchid Deserialization of Untrusted Data vulnerability leads to Remote Code Execution
ghsa·2023-07-11
CVE-2023-36825 [CRITICAL] CWE-502 Orchid Deserialization of Untrusted Data vulnerability leads to Remote Code Execution
Orchid Deserialization of Untrusted Data vulnerability leads to Remote Code Execution
Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards.
### Impact
A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. This vulnerability is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution.
### Patches
The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.
#
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-07-11
Published