RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote malicious users to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
nuxeo nuxeo 5.6.0 |
||
nuxeo nuxeo 5.8.0 |