Vulnerability Details CVE-2019-18211
An issue was discovered in Orckestra C1 CMS through 6.6. The EntityTokenSerializer class in Composite.dll is prone to unvalidated deserialization of wrapped BinaryFormatter payloads, leading to arbitrary remote code execution for any low-privilege user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.028
EPSS Ranking 85.5%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
Products affected by CVE-2019-18211
-
cpe:2.3:a:orckestra:c1_cms:2.0
-
cpe:2.3:a:orckestra:c1_cms:2.1
-
cpe:2.3:a:orckestra:c1_cms:2.1.1
-
cpe:2.3:a:orckestra:c1_cms:3.0
-
cpe:2.3:a:orckestra:c1_cms:3.1
-
cpe:2.3:a:orckestra:c1_cms:3.2
-
cpe:2.3:a:orckestra:c1_cms:4.0
-
cpe:2.3:a:orckestra:c1_cms:4.1
-
cpe:2.3:a:orckestra:c1_cms:4.2
-
cpe:2.3:a:orckestra:c1_cms:4.3
-
cpe:2.3:a:orckestra:c1_cms:5.0
-
cpe:2.3:a:orckestra:c1_cms:5.1
-
cpe:2.3:a:orckestra:c1_cms:5.3
-
cpe:2.3:a:orckestra:c1_cms:5.4
-
cpe:2.3:a:orckestra:c1_cms:5.5
-
cpe:2.3:a:orckestra:c1_cms:6.0
-
cpe:2.3:a:orckestra:c1_cms:6.1
-
cpe:2.3:a:orckestra:c1_cms:6.2
-
cpe:2.3:a:orckestra:c1_cms:6.3
-
cpe:2.3:a:orckestra:c1_cms:6.4
-
cpe:2.3:a:orckestra:c1_cms:6.5
-
cpe:2.3:a:orckestra:c1_cms:6.6