A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.
References
Link | Resource |
---|---|
https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity | Issue Tracking Vendor Advisory |
Configurations
History
28 Oct 2022, 17:41
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity - Issue Tracking, Vendor Advisory | |
CWE | CWE-502 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
CPE | cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:* |
26 Oct 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-10-26 16:15
Updated : 2024-02-04 22:51
NVD link : CVE-2022-40238
Mitre link : CVE-2022-40238
CVE.ORG link : CVE-2022-40238
JSON object : View
Products Affected
cert
- vince
CWE
CWE-502
Deserialization of Untrusted Data