Vulnerability Details : CVE-2017-14141
The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.
Exploit prediction scoring system (EPSS) score for CVE-2017-14141
Probability of exploitation activity in the next 30 days: 1.41%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 85 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-14141
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2017-14141
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-14141
-
https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682
remove unsafe unserialize · kaltura/server@6a6d143 · GitHubThird Party Advisory
-
https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt
Exploit;Third Party Advisory
-
http://www.securityfocus.com/bid/100976
Kaltura Community Edition Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
Products affected by CVE-2017-14141
- cpe:2.3:a:kaltura:kaltura_server:*:*:*:*:*:*:*:*