CVE-2017-14141
high
CVSS v3
7.2
CVSS v4 NEW
โ
VIR risk
7.2
Description
The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.
Predictions
Exploit likelihood
81%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| kaltura | kaltura_server | {"endExcluding":"13.2.0"} | 13.2.0 |
References
- http://www.securityfocus.com/bid/100976
- https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682
- https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt
- http://www.securityfocus.com/bid/100976
- https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682
- https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt
CWEs
CWE-502
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.