Executive Summary
Summary | |
---|---|
Title | Checkbox Survey insecurely deserializes ASP.NET View State data |
Informations | |||
---|---|---|---|
Name | VU#706695 | First vendor Publication | 2021-05-25 |
Vendor | VU-CERT | Last vendor Modification | 2021-05-25 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 9.8 | ||
Base Score | 9.8 | Environmental Score | 9.8 |
impact SubScore | 5.9 | Temporal Score | 9.8 |
Exploitabality Sub Score | 3.9 | ||
Attack Vector | Network | Attack Complexity | Low |
Privileges Required | None | User Interaction | None |
Scope | Unchanged | Confidentiality Impact | High |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewCheckbox Survey prior to version 7.0 insecurely deserializes ASP.NET View State data, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable server. DescriptionCVE-2021-27852 Checkbox Survey insecurely deserializes ASP.NET View State data. Checkbox Survey is an ASP.NET application that can add survey functionality to a website. Prior to version 7.0, Checkbox Survey implements its own View State functionality by accepting a This vulnerability is reportedly being exploited in the wild. ImpactBy making a specially-crafted request to a server that uses Checkbox Survey 6.x or earlier, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the web server. SolutionApply an updateStarting with Checkbox Survey 7.0, View State data is not used. Therefore, Checkbox Survey versions 7.0 and later do not contain this vulnerability. Remove Checkbox Survey versions older than 7Checkbox is no longer developing Checkbox Survey version 6, so this version is no longer safe to use. If you are unable to update to an unaffected version of Checkbox Survey, this software should be removed from any systems that have it installed. AcknowledgementsThanks to the reporter who wishes to remain anonymous. This document was written by Will Dormann. |
Original Source
Url : https://kb.cert.org/vuls/id/706695 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-502 | Deserialization of Untrusted Data |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Alert History
Date | Informations |
---|---|
2021-09-23 17:17:44 |
|
2021-05-26 00:17:37 |
|