CVE-2018-18240

CRITICAL

Pippo < 1.11.0 - Insecure Deserialization

Title source: rule

Description

Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.

References (1)

Scores

CVSS v3 9.8
EPSS 0.0271
EPSS Percentile 85.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (3)

pippo/pippo < 1.11.0
ro.pippo/pippo-core < 1.12.0Maven
ro.pippo/pippo-session < 1.12.0Maven

Timeline

Published Oct 11, 2018
Tracked Since Feb 18, 2026