SuiteCRM 7.11.11 Second-Order PHP Object Injection

--------------------------------------------------------------------- SuiteCRM = 7.11.11 Second-Order PHP Object Injection Vulnerabilities --------------------------------------------------------------------- - Software Link: https://suitecrm.com/ - Affected Versions: Version 7.11.11 and prior...

SuiteCRM Second Order PHP Object Injection Vulnerability

SuiteCRM is a free and open source customer relationship management application. A security vulnerability exists in SuiteCRM. An attacker can exploit the vulnerability to inject arbitrary PHP objects into the application scope, allowing the attacker to perform various attacks, such as executing...

SuiteCRM 7.11.11 Phar Deserialization

----------------------------------------------------------------- SuiteCRM = 7.11.11 Multiple Phar Deserialization Vulnerabilities ----------------------------------------------------------------- - Software Link: https://suitecrm.com/ - Affected Versions: Version 7.11.11 and prior versions. -...

Joomla! Session Object Injection RCE

The Joomla! application running on the remote web server is affected by a remote code execution vulnerability due to improper sanitization of session parameters when saving and retrieving the session object. An unauthenticated, remote attacker can exploit this, via a serialized PHP object, to...

Multiple Phar Deserialization Vulnerabilities in SuiteCRM

SuiteCRM is a free and open source customer relationship management application. SuiteCRM suffers from multiple Phar deserialization vulnerabilities. An attacker can exploit the vulnerabilities to inject arbitrary PHP objects into the scope of the application, allowing the execution of various...

SuiteCRM 7.11.11 Bean Manipulation

-------------------------------------------------------------------------- SuiteCRM = 7.11.11 actionsaveHTMLField Bean Manipulation Vulnerability -------------------------------------------------------------------------- - Software Link: https://suitecrm.com/ - Affected Versions: Version 7.11.11...

PT-2020-20289 · Salesagility · Suitecrm

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions prior to 7.11.12 Description: The issue allows for PHP Object Injection in the EmailsController Action GetFromFields. Recommendations: For SuiteCRM versions prior to 7.11.12, update to version 7.11.12 or later to resolve the...

CVE-2018-1000888

PEAR ArchiveTar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the ArchiveTar class. There are several file operations with $vheader'filename' as parameter such as fileexists, isfile, isdir, etc. When extract is called without a specific prefix path, we can trigger...

CVE-2014-1860

Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities...

Design/Logic Flaw

Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities...

CVE-2014-1860

Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities...

CVE-2014-1860

CVE-2014-1860 affects Contao CMS up to version 3.2.4, where PHP Object Injection vulnerabilities are reported. The connected zdt entry documents a code execution vulnerability in Contao 3.2.4 and earlier, linked to improper handling of user input that is unserialized, enabling potential arbitrary...

LKWA - Lesser Known Web Attack Lab

Lesser Known Web Attack Lab is for intermediate pentester that can test and practice lesser known web attacks such as Object Injection, XSSI, PHAR Deserialization, variables variable ..etc. Write-ups are welcome. Installation Just clone the git with git clone https://github.com/weev3/LKWA and mov...

CVE-2019-14466

The GOsaFilterSettings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions in the context of the user account that runs the web server via a crafted cookie value, because unserialize is used to restore...

DEBIAN-CVE-2019-14466

The GOsaFilterSettings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions in the context of the user account that runs the web server via a crafted cookie value, because unserialize is used to restore...

UBUNTU-CVE-2019-14466

The GOsaFilterSettings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions in the context of the user account that runs the web server via a crafted cookie value, because unserialize is used to restore...

CVE-2019-14466

The GOsaFilterSettings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions in the context of the user account that runs the web server via a crafted cookie value, because unserialize is used to restore...

CVE-2019-19826

The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/viewshandlerfilterdynamicfields.inc, as demonstrated by PHP object injection, involving a fieldnames object and an ArchiveTar object, for file deletion. Code execution might also be...

CVE-2019-19826

The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/viewshandlerfilterdynamicfields.inc, as demonstrated by PHP object injection, involving a fieldnames object and an ArchiveTar object, for file deletion. Code execution might also be...

CVE-2019-19826

The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/viewshandlerfilterdynamicfields.inc, as demonstrated by PHP object injection, involving a fieldnames object and an ArchiveTar object, for file deletion. Code execution might also be...