kvf-admin through 2022-02-12 allows remote attackers to execute arbitrary code because deserialization is mishandled. The rememberMe parameter is encrypted with a hardcoded key from the com.kalvin.kvf.common.shiro.ShiroConfig file.
References
Link | Resource |
---|---|
https://github.com/kalvinGit/kvf-admin/issues/16 | Exploit Third Party Advisory |
Configurations
History
08 Aug 2023, 14:21
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-798 |
Information
Published : 2022-07-13 22:15
Updated : 2024-02-28 19:29
NVD link : CVE-2022-35857
Mitre link : CVE-2022-35857
CVE.ORG link : CVE-2022-35857
JSON object : View
Products Affected
kvf-admin_project
- kvf-admin
CWE
CWE-798
Use of Hard-coded Credentials