CVE-2020-26118
HIGHSmartbear Collaborator < 13.3.13302 - Insecure Deserialization
Title source: ruleDescription
In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system.
References (3)
Scores
CVSS v3
8.8
EPSS
0.0196
EPSS Percentile
83.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-502
Status
published
Affected Products (1)
smartbear/collaborator
< 13.3.13302
Timeline
Published
Jan 11, 2021
Tracked Since
Feb 18, 2026