Unreliable data deserialization vulnerability in Mentor

Posted date 06/06/2024
Importance
5 - Critical
Affected Resources
  • Mentor – Employee Portal, 3.83.35 version.
Description

INCIBE has coordinated the publication of a critical severity vulnerability affecting Mentor - Portal del empleado, a software for human resources management and risk prevention, which has been discovered by Raúl Caro Teixido.

This vulnerability has been assigned the following code, base score CVSS v3.1, CVSS vector and vulnerability type CWE:

  • CVE-2024-5675: CVSS v3.1: 10,0 | CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE-502.

Solution

The vulnerability has been fixed by the Summar team in Mentor - Employee Portal, version 3.87.7.

Detail

CVE-2024-5675: untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker to execute arbitrary code, by injecting a malicious payload into the “ViewState” field.