What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1.
Explanation of Vulnerability in Simple Terms
Kleor Contact Manager versions up to 9.1.1 contain a deserialization vulnerability that allows attackers to execute arbitrary code on the site. An attacker can craft a malicious serialized object that, when processed by the application, runs their own code with full site privileges. The vulnerability requires user interaction—typically a victim must click a link or visit a page—but does not require authentication.
What an attacker can do
Run their own code on the site with full privileges, read/modify/delete data, and compromise user accounts.
Potential impact on your site
Complete site compromise: attackers can steal data, modify content, create admin accounts, or take the site offline.
Conditions required to exploit
Network access and user interaction (victim must click a link or visit a page).
Key dates
External resources
Related vulnerabilities