Vulnerabilities > CVE-2018-7891 - Deserialization of Untrusted Data vulnerability in multiple products

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

milestonesys

siemens

CWE-502

NVD

Published: 2018-04-30

Updated: 2018-06-13

Summary

The Milestone XProtect Video Management Software (Corporate, Expert, Professional+, Express+, Essential+) 2016 R1 (10.0.a) to 2018 R1 (12.1a) contains .NET Remoting endpoints that are vulnerable to deserialization attacks resulting in remote code execution.

Vulnerable Configurations

Part	Description	Count
Application	Milestonesys Milestonesys Xprotect *	5
Application	Siemens Siemens Siveillance VMS *	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

http://www.securityfocus.com/bid/104120
https://cert-portal.siemens.com/productcert/pdf/ssa-457058.pdf
https://supportcommunity.milestonesys.com/s/article/XProtect-VMS-NET-security-vulnerability-hotfixes-for-2016-R1-2018-R1?language=en_US