Authenticated Remote Code Execution in OrbiTeam BSCW Classic before 7.4.3 via Python Code Injection in .bscw File Class Attribute

Authenticated Remote Code Execution in OrbiTeam BSCW Classic before 7.4.3 via Python Code Injection in .bscw File Class Attribute

CVE-2021-39271 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

OrbiTeam BSCW Classic before 7.4.3 allows authenticated remote code execution (RCE) during archive extraction via attacker-supplied Python code in the class attribute of a .bscw file. This is fixed in 5.0.12, 5.1.10, 5.2.4, 7.3.3, and 7.4.3.

Learn more about our Web Application Penetration Testing UK.