PT-2025-30620 · Kaltura · Kaltura
Published
2025-07-23
·
Updated
2025-07-24
·
CVE-2016-15044
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Kaltura versions prior to 11.1.0-2
Description
A remote code execution issue exists due to unsafe deserialization of user-controlled data within the
keditorservices module. An unauthenticated remote attacker can exploit this by sending a specially crafted serialized PHP object in the kdata GET parameter to the /redirectWidgetCmd endpoint, leading to arbitrary PHP code execution in the context of the web server process.Recommendations
Update Kaltura to version 11.1.0-2 or later.
Fix
RCE
Deserialization of Untrusted Data
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Kaltura