Tendenci has Authenticated Remote Code Execution via Pickle Deserialization

Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

可信数据的反序列化

Tendenci 代码问题漏洞

Tendenci是美国Tendenci公司的一款主要用于非营利组织和协会的协会管理软件。该软件支持会员管理、内容管理、事件管理和网上捐款管理等功能。 Tendenci 15.3.11及之前版本存在代码问题漏洞，该漏洞源于Helpdesk模块使用不安全的pickle反序列化，可能导致远程代码执行。

N/A

N/A