Unreliable data deserialization vulnerability in Mentor

Posted date 06/06/2024
5 - Critical
Affected Resources
  • Mentor – Employee Portal, 3.83.35 version.

INCIBE has coordinated the publication of a critical severity vulnerability affecting Mentor - Portal del empleado, a software for human resources management and risk prevention, which has been discovered by Raúl Caro Teixido.

This vulnerability has been assigned the following code, base score CVSS v3.1, CVSS vector and vulnerability type CWE:

  • CVE-2024-5675: CVSS v3.1: 10,0 | CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE-502.


The vulnerability has been fixed by the Summar team in Mentor - Employee Portal, version 3.87.7.


CVE-2024-5675: untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker to execute arbitrary code, by injecting a malicious payload into the “ViewState” field.