CVE-2022-24789: 
C# vulnerability analysis and mitigation

C1 CMS, an open-source .NET based Content Management System, was found to contain a deserialization vulnerability (CVE-2022-24789) affecting versions prior to 6.12. The vulnerability was discovered by Jaroslav Lobačevski from the GitHub Security Lab team and was disclosed on March 28, 2022. The issue allows authenticated users to exploit Server Side Request Forgery (SSRF) and perform arbitrary file truncation through deserialization of untrusted data (GitHub Advisory).

The vulnerability stems from the CompositeJsonSerializer.Deserialize functionality being reachable from multiple endpoints where the serializedEntityToken is user-controlled. While the custom deserialization binder prevents known remote code execution gadgets from third-party libraries, it allows instantiation of any internal C1 class and classes from standard library namespaces including 'mscorlib', 'System' and 'System.Collections*'. This implementation weakness enables attackers to construct deserialization gadget chains (GitHub Lab).

The vulnerability enables authenticated users to perform two types of malicious actions: 1) Execute SSRF attacks by causing the server to make arbitrary GET requests to other servers in the local network or on localhost, and 2) Truncate arbitrary files to zero size, which can lead to denial of service (DoS) or alterations in application logic. Notably, authenticated users may unknowingly trigger these actions by visiting specially crafted sites (GitHub Advisory).

The vulnerability was patched in C1 CMS version 6.12. Orckestra provided free automated upgrade capability for any C1 installation from version 5.0 and later to access this security fix. No known workarounds exist other than upgrading to version 6.12 or newer (Release Notes).