CVE-2026-23946 (CNNVD-202601-3918)

MEDIUM
中文标题:
Tendenci 代码问题漏洞
英文标题:
Tendenci has Authenticated Remote Code Execution via Pickle Deserialization
CVSS分数: 6.8
发布时间: 2026-01-22 00:09:24
漏洞类型: 代码问题
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v3
漏洞描述
中文描述:

Tendenci是美国Tendenci公司的一款主要用于非营利组织和协会的协会管理软件。该软件支持会员管理、内容管理、事件管理和网上捐款管理等功能。 Tendenci 15.3.11及之前版本存在代码问题漏洞,该漏洞源于Helpdesk模块使用不安全的pickle反序列化,可能导致远程代码执行。

英文描述:

Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12.

CWE类型:
CWE-94 CWE-502
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
tendenci tendenci < 15.3.12 - - cpe:2.3:a:tendenci:tendenci:<_15.3.12:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3 x_refsource_CONFIRM
cve.org
访问
https://github.com/tendenci/tendenci/issues/867 x_refsource_MISC
cve.org
访问
https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1 x_refsource_MISC
cve.org
访问
https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636 x_refsource_MISC
cve.org
访问
https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e x_refsource_MISC
cve.org
访问
https://docs.python.org/3/library/pickle.html#restricting-globals x_refsource_MISC
cve.org
访问
https://github.com/advisories/GHSA-jqmc-fxxp-r589 x_refsource_MISC
cve.org
访问
https://github.com/tendenci/tendenci/releases/tag/v15.3.12 x_refsource_MISC
cve.org
访问
CVSS评分详情
3.1 (cna)
MEDIUM
6.8
CVSS向量: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
机密性
HIGH
完整性
HIGH
可用性
HIGH
时间信息
发布时间:
2026-01-22 00:09:24
修改时间:
2026-01-22 00:09:24
创建时间:
2026-01-22 06:00:10
更新时间:
2026-01-27 06:00:17
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2026-23946 2026-01-22 03:19:50 2026-01-21 22:00:10
NVD nvd_CVE-2026-23946 2026-01-23 02:00:04 2026-01-22 22:00:17
CNNVD cnnvd_CNNVD-202601-3918 2026-01-26 02:10:03 2026-01-25 18:11:59
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2026-01-26 02:11:59
vulnerability_type: 未提取 → 代码问题; cnnvd_id: 未提取 → CNNVD-202601-3918; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 代码问题
  • cnnvd_id: 未提取 -> CNNVD-202601-3918
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2026-01-23 06:00:17
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']