CVE-2022-39256

CRITICAL

Orckestra C1 Cms < 6.13 - Insecure Deserialization

Title source: rule

Description

Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds.

References (3)

[Patch, Third Party Advisory] https://github.com/Orckestra/C1-CMS-Foundation/pull/814

[Release Notes, Third Party Advisory] https://github.com/Orckestra/C1-CMS-Foundation/releases/tag/v6.13

[Third Party Advisory] https://github.com/Orckestra/C1-CMS-Foundation/security/advisories/GHSA-gfhp-jgp6-838j

Scores

CVSS v3 9.0

EPSS 0.0207

EPSS Percentile 83.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

orckestra/c1_cms < 6.13

nuget/CompositeC1.Core < 6.13NuGet

Timeline

Published Sep 27, 2022

Tracked Since Feb 18, 2026