What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9.
Explanation of Vulnerability in Simple Terms
The Knowledge Base product by designthemes contains a deserialization vulnerability in versions 2.9 and earlier. An authenticated user with low privileges can send specially crafted data that the application deserializes without proper validation, allowing them to read sensitive information, modify site data, or disrupt service. No user interaction is required beyond the initial authentication.
What an attacker can do
Read sensitive data, modify site content, or crash the application.
Potential impact on your site
Any authenticated user can compromise confidentiality, integrity, and availability of your site.
Conditions required to exploit
Attacker must have a low-privilege authenticated account on the site.
Key dates
External resources