RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.
CPE | Name | Operator | Version |
---|---|---|---|
nuxeo | eq | 5.8.0 | |
nuxeo | eq | 5.6.0 | |
nuxeo | eq | 5.6.0 hotfix1 | |
nuxeo | eq | 5.6.0 hotfix2 | |
nuxeo | eq | 5.6.0 hotfix3 | |
nuxeo | eq | 5.6.0 hotfix4 | |
nuxeo | eq | 5.6.0 hotfix5 | |
nuxeo | eq | 5.6.0 hotfix6 | |
nuxeo | eq | 5.6.0 hotfix7 | |
nuxeo | eq | 5.6.0 hotfix8 |