Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Unreliable data deserialization vulnerability in Mentor

Posted date 06/06/2024
Identificador
INCIBE-2024-0297
Importance
5 - Critical
Affected Resources
  • Mentor – Employee Portal, 3.83.35 version.
Description

INCIBE has coordinated the publication of a critical severity vulnerability affecting Mentor - Portal del empleado, a software for human resources management and risk prevention, which has been discovered by Raúl Caro Teixido.

This vulnerability has been assigned the following code, base score CVSS v3.1, CVSS vector and vulnerability type CWE:

  • CVE-2024-5675: CVSS v3.1: 10,0 | CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE-502.

Solution

The vulnerability has been fixed by the Summar team in Mentor - Employee Portal, version 3.87.7.

Detail

CVE-2024-5675: untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker to execute arbitrary code, by injecting a malicious payload into the “ViewState” field.

References list
Mentor - Software de RRHH, PRL y portal del empleado
Etiquetas