Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data.
The vulnerability consists of the fact that Loftware Spectrum application accepts and processes (deserializes) data supplied by an external user without proper validation or trust verification. An attacker can supply a crafted payload containing a malicious object that will be executed by the application during deserialization. The attack vector is network-based, requires no authentication or privileges, making this vulnerability particularly dangerous.
Successful exploitation of the vulnerability can lead to complete system compromise — the attacker gains the ability to read and modify data and cause service unavailability (confidentiality, integrity, and availability all rated as HIGH in CVSS). In practice, deserialization vulnerabilities of untrusted data often result in remote code execution (RCE).
Loftware Spectrum should be updated to version 4.6 HF13 or later. Detailed information about the patch is available in the vendor's official release notes: https://docs.loftware.com/spectrum-releasenotes/Content/Hotfix/4.6_HF13.htm
Loftware Spectrum in versions before 4.6 HF13
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLoftware Spectrum
APPLoftware4.6< 4.6
Related vulnerabilities
Loftware Spectrum — zakodowane na stałe hasło (Hard-coded Password)
Loftware Spectrum — brak uwierzytelnienia dla krytycznej funkcji (Auth Bypass)
Loftware Spectrum — niezabezpieczony rejestr JMX umożliwia zdalny dostęp
Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks.
Loftware Spectrum through 4.6 exposes Sensitive Information (Logs) to an Unauthorized Actor.