Vulnerability Description
In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Smartbear | Collaborator | <= 13.3.13302 |
Related Weaknesses (CWE)
References
- https://support.smartbear.com/collaborator/docs/general-info/version-history/verRelease NotesVendor Advisory
- https://support.smartbear.com/collaborator/docs/general-info/whats-new.htmlRelease NotesVendor Advisory
- https://support.smartbear.com/collaborator/docs/server/index.htmlProductVendor Advisory
- https://support.smartbear.com/collaborator/docs/general-info/version-history/verRelease NotesVendor Advisory
- https://support.smartbear.com/collaborator/docs/general-info/whats-new.htmlRelease NotesVendor Advisory
- https://support.smartbear.com/collaborator/docs/server/index.htmlProductVendor Advisory
FAQ
What is CVE-2020-26118?
CVE-2020-26118 is a vulnerability with a CVSS score of 8.8 (HIGH). In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class ...
How severe is CVE-2020-26118?
CVE-2020-26118 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26118?
Check the references section above for vendor advisories and patch information. Affected products include: Smartbear Collaborator.