CVE-2021-32828: Deserialization of Untrusted Data

January 6, 2023 (updated January 9, 2023)

The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the oauth2 REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.

References

github.com/advisories/GHSA-x347-fc9w-w7c3
github.com/nuxeo/nuxeo/blob/master/modules/platform/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/webengine/oauth2/OAuth2Callback.java
nvd.nist.gov/vuln/detail/CVE-2021-32828
securitylab.github.com/advisories/GHSL-2021-072-nuxeo

Detect and mitigate CVE-2021-32828 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →