9.8

CVE-2023-46817

Exploit
An issue was discovered in phpFox before 4.8.14. The url request parameter passed to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PhpfoxPhpfox Version < 4.8.13
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.81% 0.757
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

http://seclists.org/fulldisclosure/2023/Oct/30
Third Party Advisory
Exploit
Mailing List
https://docs.phpfox.com/display/FOX4MAN/phpFox+4.8.14
Product
https://karmainsecurity.com/KIS-2023-12
Third Party Advisory
https://karmainsecurity.com/pocs/CVE-2023-46817.php
Third Party Advisory
Exploit
https://www.phpfox.com/blog/
Product