CVE-2021-35196

Name of the Vulnerable Software and Affected Versions Manuskript versions 0.12.0 and earlier

Description The issue is related to insecure deserialization via the pickle.load() function in settings.py, allowing remote attackers to execute arbitrary code by crafting a settings.pickle file in a project file. This could potentially lead to unauthorized access to confidential data, disruption of data integrity, and denial of service. The vendor's position is that the product is not intended for opening untrusted project files.

Recommendations For Manuskript versions 0.12.0 and earlier, consider disabling the pickle.load() function in settings.py as a temporary workaround until a patch is available. Restrict access to untrusted project files to minimize the risk of exploitation. Avoid using the pickle.load() function with untrusted data until the issue is resolved.