First published: Thu Oct 11 2018(Updated: )
Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Pippo Pippo | <=1.11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The CVE ID of this vulnerability is CVE-2018-18240.
The severity of CVE-2018-18240 is critical with a score of 9.8.
Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.
The following software packages are affected by CVE-2018-18240: ro.pippo:pippo-parent 1.11.0, ro.pippo:pippo-session 1.11.0, ro.pippo:pippo-core 1.11.0, Pippo Pippo 1.11.0.
To fix CVE-2018-18240, update the affected software packages to version 1.12.0 or later.