CVE-2019-18211

EUVD-2019-8011
An issue was discovered in Orckestra C1 CMS through 6.6. The EntityTokenSerializer class in Composite.dll is prone to unvalidated deserialization of wrapped BinaryFormatter payloads, leading to arbitrary remote code execution for any low-privilege user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
orckestrac1_cms
𝑥
≤ 6.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Orckestra/C1-CMS-Foundation/commits/dev
https://github.com/Orckestra/C1-CMS-Foundation/commits/dev