VisiCut Insecure XML Deserialization Vulnerability Allowing Arbitrary Code Execution
Vulnerability
A vulnerability in VisiCut version 2.1 allows for arbitrary code execution through insecure XML deserialization. This issue arises in the 'loadPlfFile' method of 'VisicutModel.java', where user-provided XML is processed without proper validation. An attacker can exploit this by crafting a '.plf' file that includes a malicious 'transform.xml', which, when opened by a user, executes arbitrary code and potentially allows remote access to the user's machine.
Impact
Exploitation of this vulnerability could lead to unauthorized code execution on the user's machine, with the potential for remote access, depending on the executed code.
Reproduction
To reproduce this vulnerability, create a '.plf' file that includes a 'transform.xml' file with malicious payload designed to execute arbitrary code. Once the '.plf' file is crafted, it can be opened in VisiCut, triggering the code execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.