QwikSec

Security Database

CVE

CWE

Training

CVE-2013-4521

Published: Feb 6, 2020

Modified: Aug 6, 2024

PUBLISHED

Description

RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.

Vendor	Product	Versions
Nuxeo	Nuxeo Platform	affected `5.6.0 before HF27` affected `5.8.0 before HF-01`

References

https://bugzilla.redhat.com/show_bug.cgi?id=1027052

x_refsource_MISC

http://doc.nuxeo.com/display/public/ADMINDOC58/Nuxeo+Security+Hotfixes

x_refsource_CONFIRM

https://github.com/nuxeo/richfaces/commit/6cbad2a6dcb70d3e33a6ce5879b1a3ad79eb1aec

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.