Kentico 13 CMS: VAPT scan issue for Deserialization Of Untrusted Data

Quan Lee asked on May 20, 2022 04:58

Hello guys, Our client using VAPT scan and has deteched a issue belongs to CMS OOTB code (path is: CMSModules/ImportExport/Controls/ImportWizard.ascx) Basically in the EnsureLicenseFromPackage method, they have a suggestion to use other Serializers instead of using BinaryFormatter to be safer. Can we have any patch to fix this or do I have to update it by myself? If change to another Serializer, will have any risk?

Thank you so much!

Recent Answers

Juraj Ondrus answered on May 20, 2022 05:46

Could you please elaborate more on what the issue is and what is the bug? If you have a proof of concept of an attack or security vulnerability, you can share it with our security experts: security@kentico.com and if it is indeed a security bug, a hotfix will be released.

0 votesVote for this answer Mark as a Correct answer

Quan Lee answered on June 21, 2022 05:27

Thank you Juraj Ondrus , I will send the email to security experts for more detail

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.