22 matches found
DRUPAL-CONTRIB-2026-049
The Flag attendance field module gives you the ability to add attendance by depending on Flag module. flagattendancefield stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when th...
CVE-2019-7725
includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...
EUVD-2021-1245
Malware in sbrugna...
EUVD-2024-2336
Malicious code in bioql PyPI...
unserialize-exploit
🎯 unserialize-exploit - Explore PHP Unserialization Exploits...
CVE-2024-40624
TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In torrentpier/library/includes/functions.php, gettracks uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to...
Remote Code Execution (RCE)
torrentpier/torrentpier is vulnerable to Remote Code Execution RCE. The vulnerability is due to the unsafe handling of user-controlled data specifically cookies within the gettracks function in torrentpier/library/includes/functions.php, where unsafe usage of PHP's native serialization format...
CVE-2024-40624
TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In torrentpier/library/includes/functions.php, gettracks uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to...
CVE-2024-40624 Deserialization of untrusted data in torrentpier/torrentpier
TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In torrentpier/library/includes/functions.php, gettracks uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to...
CVE-2023-2497
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'importsettings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to...
Exploit for Deserialization of Untrusted Data in Spip
---- CVE-2023-273...
GHSA-32WR-8WXM-852C Deserialization of Untrusted Data in NukeViet
includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...
CVE-2021-21979
In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APPKEY ...
CVE-2019-7725
includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...
Code injection
includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...
CVE-2019-7725
includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...
CVE-2019-7725
The CVE refers to NukeViet before 4.3.04, where includes/core/is_user.php deserializes the untrusted nvloginhash cookie, relying on PHP serialization instead of JSON. This constitutes a deserialization vulnerability that can lead to remote impact, with CVSS metrics indicating high severity (NVD: ...
Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029
This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module accepts user submitted data in PHP's serialization format "Content-Type: application/vnd.php.serialized" which can lead to arbitrary remote code execution. This...
UBUNTU-CVE-2016-9138
PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::toString with DateInterval::wakeup...
PHP serialize/object injection vulnerability exploit-vulnerability warning-the black bar safety net
! This article is about PHP serialize/object injection vulnerability analysis of the short story, which tells about how to get the host of the remote shell. If you want to learn more about PHP serialized content, please visit this link. If you want to test this vulnerability, you can by XVWA and...