CVE-2020-26118

Name of the Vulnerable Software and Affected Versions: SmartBear Collaborator Server versions prior to 13.3.13302

Description: The issue arises from the use of the Google Web Toolkit (GWT) API, introducing a post-authentication Java deserialization vulnerability. Specifically, the application's UpdateMemento class accepts a serialized Java object directly from the user without proper sanitization. This allows a malicious object to be submitted to the server via an authenticated attacker, potentially executing commands on the underlying system.

Recommendations: For versions prior to 13.3.13302, consider disabling the UpdateMemento class or restricting its access to prevent exploitation until a patch is available. Additionally, ensure that all user input is properly sanitized to prevent malicious objects from being submitted to the server. At the moment, there is no information about a newer version that contains a fix for this vulnerability.