BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 VIEWSTATE Deserialization RCE

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

可信数据的反序列化

BMC FootPrints 代码问题漏洞

BMC FootPrints是美国BMC公司的一个IT服务管理与工单跟踪系统。 BMC FootPrints 20.24.01.001及之前版本存在代码问题漏洞，该漏洞源于ASP.NET servlet的VIEWSTATE处理存在不受信任数据反序列化，可能导致经过身份验证的攻击者通过特制序列化对象执行任意代码，完全控制应用程序。

N/A

N/A