CVE-2017-14143
N/A
N/A
Summary
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682
- https://www.exploit-db.com/exploits/43028/
- https://www.exploit-db.com/exploits/43876/
- https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt
- http://www.securityfocus.com/bid/100976
References
- https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682
- https://www.exploit-db.com/exploits/43028/
- https://www.exploit-db.com/exploits/43876/
- https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt
- http://www.securityfocus.com/bid/100976
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.