This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-0749
- https://github.com/SinGooCMS/SinGooCMSUtility/issues/1
- https://github.com/SinGooCMS/SinGooCMSUtility/blob/master/SinGooCMS.Utility/Net/SocketClient.cs
- https://snyk.io/vuln/SNYK-DOTNET-SINGOOCMSUTILITY-2312979
- https://github.com/advisories/GHSA-29rv-fqx2-4c9f