| Title | b1gMail-OSS b1gMail 7.4.1-pl1 Deserialization |
|---|
| Description | b1gMail OSS has a PHP Object Injection vulnerability as a result of Deserialization of Untrusted Data.
(POP/) Gadget Chains exist in b1gMail (and its libraries) which allow Object Injection vulnerabilities to be exploited, for example to delete arbitrary files. Other attacks may be possible depending on what plugins are installed.
The vulnerability is mitigated by the fact that the vulnerable functionality is in an admin page, access to which is restricted to administrators.
Because the vulnerability can be exploited via a GET request, it may be possible to conduct such an attack via Cross Site Scripting (XSS) or a similar vector.
The vulnerability is fixed in b1gMail 7.4.1 Patch Level 2 |
|---|
| Source | ⚠️ https://gist.github.com/mcdruid/cb0b848c12fd6a6bc0c1b3357b983d30 |
|---|
| User | mcdruid (UID 79710) |
|---|
| Submission | 02/23/2025 07:28 PM (3 months ago) |
|---|
| Moderation | 02/27/2025 09:47 AM (4 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 297829 [b1gMail up to 7.4.1-pl1 Admin Page src/admin/users.php query/q deserialization] |
|---|
| Points | 20 |
|---|