CVE-2022-39256 CRITICAL

CVE-2022-39256: Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.

Vendor Orckestra
Product C1-CMS-Foundation
Weakness CWE-502 · Unsafe deserialization
Published September 27, 2022
Last update April 23, 2025

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. This issue is patched in C1 CMS v6.13. There are no known workarounds.

Key dates

02Disclosure timeline

September 27, 2022 CVE published
April 23, 2025 Record updated