A vulnerability classified as problematic was found in b1gMail up to 7.4.1-pl1. Affected by this vulnerability is an unknown function of the file src/admin/users.php of the component Admin Page. The manipulation of the argument query/q with an unknown input leads to a deserialization vulnerability. The CWE definition for the vulnerability is CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. As an impact it is known to affect confidentiality, integrity, and availability.

The advisory is shared at gist.github.com. This vulnerability is known as CVE-2025-1741. The exploitation appears to be easy. The attack can be launched remotely. Additional levels of successful authentication are needed for exploitation. Technical details are known, but no exploit is available.

The vendor acted highly professional and even fixed this issue in the discontinued commercial edition as b1gMail 7.4.0-pl3. By approaching the search of inurl:src/admin/users.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 7.4.1-pl2 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 4816c8b748f6a5b965c8994e2cf10861bf6e68aa is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• b1gMail

Version

• 7.4.1-pl1

License

• open-source

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Submitinfo

Accepted

• Submit #505838: b1gMail-OSS b1gMail 7.4.1-pl1 Deserialization (by mcdruid)

Discussion