CVE-2019-7725

includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...

EUVD-2021-1245

Malware in sbrugna...

EUVD-2024-2336

Malicious code in bioql PyPI...

unserialize-exploit

🎯 unserialize-exploit - Explore PHP Unserialization Exploits...

CVE-2024-40624

TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In torrentpier/library/includes/functions.php, gettracks uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to...

Remote Code Execution (RCE)

torrentpier/torrentpier is vulnerable to Remote Code Execution RCE. The vulnerability is due to the unsafe handling of user-controlled data specifically cookies within the gettracks function in torrentpier/library/includes/functions.php, where unsafe usage of PHP's native serialization format...

CVE-2024-40624

TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In torrentpier/library/includes/functions.php, gettracks uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to...

CVE-2024-40624 Deserialization of untrusted data in torrentpier/torrentpier

TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In torrentpier/library/includes/functions.php, gettracks uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to...

CVE-2023-2497

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'importsettings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to...

Exploit for Deserialization of Untrusted Data in Spip

---- CVE-2023-273...

GHSA-32WR-8WXM-852C Deserialization of Untrusted Data in NukeViet

includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...

CVE-2021-21979

In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APPKEY ...

CVE-2019-7725

includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...

Code injection

includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...

CVE-2019-7725

includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...

CVE-2019-7725

The CVE refers to NukeViet before 4.3.04, where includes/core/is_user.php deserializes the untrusted nvloginhash cookie, relying on PHP serialization instead of JSON. This constitutes a deserialization vulnerability that can lead to remote impact, with CVSS metrics indicating high severity (NVD: ...

Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module accepts user submitted data in PHP's serialization format "Content-Type: application/vnd.php.serialized" which can lead to arbitrary remote code execution. This...

UBUNTU-CVE-2016-9138

PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::toString with DateInterval::wakeup...

PHP serialize/object injection vulnerability exploit-vulnerability warning-the black bar safety net

! This article is about PHP serialize/object injection vulnerability analysis of the short story, which tells about how to get the host of the remote shell. If you want to learn more about PHP serialized content, please visit this link. If you want to test this vulnerability, you can by XVWA and...

vBulletin 5.x.x 远程任意代码执行漏洞

unserialize 实战之 vBulletin 5.x.x 远程代码执行 --- Author: RickGray 知道创宇404安全实验室 近日，vBulletin 的一枚 RCE 利用和简要的分析被曝光，产生漏洞的原因源于 vBulletin 程序在处理 Ajax API 调用的时候，使用 unserialize 对传递的参数值进行了反序列化操作，导致攻击者使用精心构造出的 Payload 直接导致代码执行。关于 PHP 中反序列化漏洞的问题可以参考 OWASP 的《PHP Object Injection》。 使用 原文 提供的 Payload 可以直接在受影响的站点上执行...