8.1
CVE-2024-10749
- EPSS 0.51%
- Veröffentlicht 04.11.2024 01:15:03
- Zuletzt bearbeitet 06.11.2024 15:04:49
- Quelle cna@vuldb.com
- CVE-Watchlists
- Unerledigt
LoginThinkAdmin Plugs.php script deserialization
A vulnerability, which was classified as critical, was found in ThinkAdmin up to 6.1.67. Affected is the function script of the file /app/admin/controller/api/Plugs.php. The manipulation of the argument uptoken leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Thinkadmin ≫ Thinkadmin Version >= 6.0 <= 6.1.67
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.51% | 0.391 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| cna@vuldb.com | 2.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| cna@vuldb.com | 5 | 1.6 | 3.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
|
| cna@vuldb.com | 4.6 | 3.9 | 6.4 |
AV:N/AC:H/Au:S/C:P/I:P/A:P
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://github.com/pwysec/Xmwcq/blob/main/1.md
https://vuldb.com/?ctiid.282918
https://vuldb.com/?id.282918
https://vuldb.com/?submit.432436