CVE-2021-23758

Name of the Vulnerable Software and Affected Versions ajaxpro.2 versions prior to 21.11.29.1

Description The issue is related to Deserialization of Untrusted Data, which can be abused to gain remote code execution. This occurs due to the possibility of deserialization of arbitrary .NET classes. An attacker can exploit this by sending a payload into the deserializer, resulting in the execution of commands. The vulnerability is attributed to the trust in Java Object Serialization, where developers may de-serialize objects pre-authentication, allowing an attacker to execute functions, including local OS commands, by combining the readObject() methods of various classes available on the classpath of the vulnerable application.

Recommendations For versions prior to 21.11.29.1, update to the latest version from GitHub to address the issue. As a temporary workaround, consider restricting the deserialization of untrusted data to minimize the risk of exploitation. Avoid using any untrusted sources for downloading binary DLLs, especially from websites other than the official repository.