RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.
[
{
"product": "Nuxeo Platform",
"vendor": "Nuxeo",
"versions": [
{
"status": "affected",
"version": "5.6.0 before HF27"
},
{
"status": "affected",
"version": "5.8.0 before HF-01"
}
]
}
]