CVE-2018-20221

Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
deltekajera
𝑥
≤ 9.10.16
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/151035/Ajera-Timesheets-9.10.16-Deserialization.html
https://www.exploit-db.com/exploits/46086/
http://packetstormsecurity.com/files/151035/Ajera-Timesheets-9.10.16-Deserialization.html
https://www.exploit-db.com/exploits/46086/