CVE-2018-20221

HIGH

Deltek Ajera Timesheets <9.10.16 - Code Injection

Title source: llm

Description

Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.

Exploits (1)

exploitdb WORKING POC

by Anthony Cole · textwebappswindows

https://www.exploit-db.com/exploits/46086

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/151035/Ajera-Timesheets-9.10.16-Deserialization.html

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/46086/

Scores

CVSS v3 8.8

EPSS 0.0456

EPSS Percentile 89.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

deltek/ajera < 9.10.16

Timeline

Published Mar 21, 2019

Tracked Since Feb 18, 2026