Kentico CMS Deserialization RCE

Description

Kentico CMS is an ASP.NET web content management system.

Kentico CMS API uses .NET deserialization of user-supplied data. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data.

Remediation

Upgrade to the latest version of Kentico CMS

References

Hotfixes

Related Vulnerabilities

Oracle Reports Services RWServlet environment variables disclosure

Sitecore XP Deserialization RCE (CVE-2021-42237)

Deserialization of Untrusted Data (XStream)

TorchServe Management API SSRF (CVE-2023-43654)

Oracle ADF Faces 'Miracle' RCE (CVE-2022-21445)

Severity

High

Classification

CVE-2019-10068 CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H