Описание
phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be regarded as very high. Newer phpMussel versions don't use PHP's phar wrapper, and are therefore unaffected. This has been fixed in version 1.6.0.
Ссылки
- PatchRelease NotesThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- MitigationThird Party Advisory
- Third Party Advisory
- PatchRelease NotesThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- MitigationThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 1.0.0 (включая) до 1.6.0 (исключая)
cpe:2.3:a:phpmussel_project:phpmussel:*:*:*:*:*:*:*:*
EPSS
Процентиль: 81%
0.01568
Низкий
7.7 High
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-502
Связанные уязвимости
CVSS3: 7.7
github
больше 5 лет назад
Phar unserialization vulnerability in phpMussel
EPSS
Процентиль: 81%
0.01568
Низкий
7.7 High
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-502