cbcvebase.
CVE-2023-36825
published 2023-07-11

CVE-2023-36825: Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present…

PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.95%
56.9th percentile
Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.

Affected

4 ranges
VendorProductVersion rangeFixed in
orchidplatform
orchidplatform>= 14.0.0-alpha4 < 14.5.014.5.0
orchidplatform>= 14.0.1 < 14.5.014.5.0
orchidsoftwareplatform
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.