PT-2025-21145 · Unknown · Cap Collectif
Published
2025-05-14
·
Updated
2025-05-17
·
CVE-2025-47292
CVSS v4.0
9.5
Critical
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions:
Cap Collectif versions prior to the version including commit 812f2a7d271b76deab1175bdaf2be0b8102dd198
Description:
The issue concerns the Cap Collectif online decision-making platform, which has a flaw in the
DebateAlternateArgumentsResolver that deserializes a Cursor. This allows any classes to be deserialized, potentially controlled by an unauthenticated user, leading to Remote Code Execution.Recommendations:
For versions prior to the one including commit 812f2a7d271b76deab1175bdaf2be0b8102dd198, update to a version that includes the fix from commit 812f2a7d271b76deab1175bdaf2be0b8102dd198 to resolve the issue.
As a temporary workaround, consider restricting access to the
DebateAlternateArgumentsResolver until the update can be applied.Exploit
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cap Collectif