CyberSec.Space Logo
Back to CVE Browser

CVE-2020-26118

HIGH
8.8
CVSS Severity Score
EPSS Score0.1050%
EPSS Percentile5.28th
PublishedJan 11, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system.

Affected Platforms (CPE)

πŸ“¦
Smartbear

Collaborator

<= 13.3.13302

References & Advisories

πŸ”— https://support.smartbear.com/collaborator/docs/general-info/version-history/ver-13/ver-13-0.html
πŸ”— https://support.smartbear.com/collaborator/docs/general-info/whats-new.html
πŸ”— https://support.smartbear.com/collaborator/docs/server/index.html
πŸ”— https://support.smartbear.com/collaborator/docs/general-info/version-history/ver-13/ver-13-0.html
πŸ”— https://support.smartbear.com/collaborator/docs/general-info/whats-new.html
πŸ”— https://support.smartbear.com/collaborator/docs/server/index.html

Related Vulnerabilities

CVE-2021-2947510.0

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker is able to receive arbitrary file...

CVE-2004-065010.0

UploadServlet in Cisco Collaboration Server (CCS) running ServletExec before 3.0E allows remote attackers to upload and execute ar...

CVE-2021-2289310.0

Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Sh...

CVE-2005-125510.0

Multiple stack-based buffer overflows in the IMAP server in IMail 8.12 and 8.13 in Ipswitch Collaboration Suite (ICS), and other v...