SYM_CS_0035 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using the LosFormatter class for deserializing data is insecure because it can execute malicious code if untrusted or manipulated input is processed. Even if you trust the data source, LosFormatter cannot be made safe and should not be used.
Impact
If exploited, an attacker could supply crafted input that allows them to execute arbitrary code on your server, potentially leading to data theft, system compromise, or a full takeover of the application. This poses significant risks to both the application's integrity and the organization's security.