Vulnerabilities > CVE-2023-36825 - Deserialization of Untrusted Data vulnerability in Orchid Platform

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

orchid

CWE-502

critical

NVD

Published: 2023-07-11

Updated: 2023-07-20

Summary

Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dashboards. A vulnerability present starting in version 14.0.0-alpha4 and prior to version 14.5.0 is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. The issue has been addressed in version 14.5.0. Users are advised to upgrade their software to this version or any subsequent versions that include the patch. There are no known workarounds.

Vulnerable Configurations

Part	Description	Count
Application	Orchid Orchid Platform 14.0.0 Orchid Platform 14.0.1 Orchid Platform 14.0.2 Orchid Platform 14.0.3 Orchid Platform 14.1.0 Orchid Platform 14.1.1 Orchid Platform 14.2.0 Orchid Platform 14.2.1 Orchid Platform 14.3.0 Orchid Platform 14.4.0	14

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References