Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

1 vulnerability by cap-collectif

CVE-2025-47292 (GCVE-0-2025-47292)

Vulnerability from cvelistv5 – Published: 2025-05-14 10:44 – Updated: 2025-05-14 13:34
VLAI
Title
Cap Collectif vulnerable to insecure deserialization leading to remote code execution
Summary
Cap Collectif is an online decision making platform that integrates several tools. Before commit 812f2a7d271b76deab1175bdaf2be0b8102dd198, the `DebateAlternateArgumentsResolver` deserializes a `Cursor`, allowing any classes and which can be controlled by unauthenticated user. Exploitation of this vulnerability can lead to Remote Code Execution. The vulnerability is fixed in commit 812f2a7d271b76deab1175bdaf2be0b8102dd198.
Severity
9.5 (Critical)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
Vendor Product Version
cap-collectif cap-collectif Affected: < 812f2a7d271b76deab1175bdaf2be0b8102dd198
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47292",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-14T13:34:49.485138Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-14T13:34:56.456Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cap-collectif",
          "vendor": "cap-collectif",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 812f2a7d271b76deab1175bdaf2be0b8102dd198"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cap Collectif is an online decision making platform that integrates several tools. Before commit 812f2a7d271b76deab1175bdaf2be0b8102dd198, the `DebateAlternateArgumentsResolver` deserializes a `Cursor`, allowing any classes and which can be controlled by unauthenticated user. Exploitation of this vulnerability can lead to Remote Code Execution. The vulnerability is fixed in commit 812f2a7d271b76deab1175bdaf2be0b8102dd198."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-14T10:44:28.478Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cap-collectif/cap-collectif/security/advisories/GHSA-hf7r-rjh4-5fc8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cap-collectif/cap-collectif/security/advisories/GHSA-hf7r-rjh4-5fc8"
        },
        {
          "name": "https://github.com/cap-collectif/cap-collectif/commit/812f2a7d271b76deab1175bdaf2be0b8102dd198",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cap-collectif/cap-collectif/commit/812f2a7d271b76deab1175bdaf2be0b8102dd198"
        }
      ],
      "source": {
        "advisory": "GHSA-hf7r-rjh4-5fc8",
        "discovery": "UNKNOWN"
      },
      "title": "Cap Collectif vulnerable to insecure deserialization leading to remote code execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47292",
    "datePublished": "2025-05-14T10:44:28.478Z",
    "dateReserved": "2025-05-05T16:53:10.374Z",
    "dateUpdated": "2025-05-14T13:34:56.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}