CVE-2017-14141

HIGH

Kaltura <13.2.0 - Code Injection

Title source: llm

Description

The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/100976

[Third Party Advisory] https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682

View Writeup ZIP pw:eip

[Exploit, Third Party Advisory] https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt

Scores

CVSS v3 7.2

EPSS 0.0219

EPSS Percentile 84.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (1)

kaltura/kaltura_server < 13.2.0

Timeline

Published Sep 19, 2017

Tracked Since Feb 18, 2026