QwikSec

Security Database

CVE

CWE

Training

CVE-2017-14143

Published: Sep 19, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682

x_refsource_CONFIRM

exploit

x_refsource_EXPLOIT-DB

exploit

x_refsource_EXPLOIT-DB

https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt

x_refsource_MISC

vdb-entry

x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.