Description

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object.

It is determined that the web application uses AjaxPro.NET library in a configuration that allows deserialization of objects of arbitrary classes. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data.

Remediation

Upgrade to the latest version of AjaxPro.NET

References

Vulnerability Spotlight: RCE in Ajax.NET Professional

ysoserial.net

Related Vulnerabilities

WordPress Plugin WordPress PDF Light Viewer Command Injection (1.4.11)

PHPUnit Remote Code Execution

PHP 5.3.9 remote code execution

WordPress Plugin Woody ad snippets-Insert Header Footer Code, AdSense Ads PHP Code Injection (1.3)

ColdFusion CFC Deserialization RCE (CVE-2023-26359/CVE-2023-26360)

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

Tags

Insecure Deserialization Code Execution