CVE-2019-18211
HIGHOrckestra C1 CMS < 6.6 - Authenticated Remote Code Execution via EntityTokenSerializer Deserialization
Title source: llmDescription
An issue was discovered in Orckestra C1 CMS through 6.6. The EntityTokenSerializer class in Composite.dll is prone to unvalidated deserialization of wrapped BinaryFormatter payloads, leading to arbitrary remote code execution for any low-privilege user.
References (1)
Core 1
Core References
Patch x_refsource_misc
https://github.com/Orckestra/C1-CMS-Foundation/commits/dev
Scores
CVSS v3
8.8
EPSS
0.0288
EPSS Percentile
85.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
orckestra/c1_cms
< 6.6
Published
Dec 23, 2019
Tracked Since
Feb 18, 2026