CVE-2024-5675 - OpenCVE

Untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker to execute arbitrary code, by injecting a malicious payload into the “ViewState” field.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Summar	Mentor

Configuration 1 [-]

cpe:2.3:a:summar:mentor:3.83.35:*:*:*:*:*:*:*

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/unreliable-data-deserialization-vulnerability-mentor	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-06-06T12:10:04.124Z

Updated: 2024-06-06T12:10:04.124Z

Reserved: 2024-06-06T09:20:01.383Z

Link: CVE-2024-5675

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-06-06T13:15:31.713

Modified: 2024-06-11T18:14:02.017

Link: CVE-2024-5675

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5675", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-06-06T09:20:01.383Z", "datePublished": "2024-06-06T12:10:04.124Z", "dateUpdated": "2024-06-06T12:10:04.124Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mentor \u2013 Employee Portal", "vendor": "Summar Software", "versions": [{"status": "affected", "version": "3.83.35"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ra\u00fal Caro Teixido"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker to execute arbitrary code, by injecting a malicious payload into the \u201cViewState\u201d field."}], "value": "Untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker to execute arbitrary code, by injecting a malicious payload into the \u201cViewState\u201d field."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-06-06T12:10:04.124Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unreliable-data-deserialization-vulnerability-mentor"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability has been fixed by the Summar team in Mentor - Employee Portal, version 3.87.7."}], "value": "The vulnerability has been fixed by the Summar team in Mentor - Employee Portal, version 3.87.7."}], "source": {"discovery": "EXTERNAL"}, "title": "Unreliable data deserialization vulnerability in Mentor", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:summar:mentor:3.83.35:*:*:*:*:*:*:*", "matchCriteriaId": "C75F5DD4-78E1-481B-857F-A05B1F86470E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker to execute arbitrary code, by injecting a malicious payload into the \u201cViewState\u201d field."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de deserializaci\u00f3n de datos no confiables en Mentor - Portal del empleado, que afecta la versi\u00f3n 3.83.35. Esta vulnerabilidad podr\u00eda permitir a un atacante ejecutar c\u00f3digo arbitrario inyectando un payload malicioso en el campo \"ViewState\"."}], "id": "CVE-2024-5675", "lastModified": "2024-06-11T18:14:02.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2024-06-06T13:15:31.713", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/unreliable-data-deserialization-vulnerability-mentor"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}