CVE-2020-14932

2020-06-2000:00:00

attackerkb.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is related to mailto.php.

Recent assessments:

kevthehermit at June 20, 2020 5:17pm UTC reported:

tldr

The use of unserialize in PHP that accepts user data. There is no sequence of code that can be exploited to gain code execution using this method.

Outline

Passing user-controlled data to unserialize in PHP is always a bad idea. However, in order to be exploitable there needs to be additional code that will process the data through the use of Magic Methods. There do not appear to be any dangerous methods that take this data in the current version of the PHP script.

If the base PHP version that is running this application also happens to be a version of PHP vulnerable to <https://www.cvedetails.com/cve/CVE-2017-5340/> Then there is an increased possibility of gaining code execution using this methodology.