| عنوان | b1gMail-OSS b1gMail 7.4.1-pl1 Deserialization |
|---|
| الوصف | b1gMail OSS has a PHP Object Injection vulnerability as a result of Deserialization of Untrusted Data.
(POP/) Gadget Chains exist in b1gMail (and its libraries) which allow Object Injection vulnerabilities to be exploited, for example to delete arbitrary files. Other attacks may be possible depending on what plugins are installed.
The vulnerability is mitigated by the fact that the vulnerable functionality is in an admin page, access to which is restricted to administrators.
Because the vulnerability can be exploited via a GET request, it may be possible to conduct such an attack via Cross Site Scripting (XSS) or a similar vector.
The vulnerability is fixed in b1gMail 7.4.1 Patch Level 2 |
|---|
| المصدر | ⚠️ https://gist.github.com/mcdruid/cb0b848c12fd6a6bc0c1b3357b983d30 |
|---|
| المستخدم | mcdruid (UID 79710) |
|---|
| ارسال | 23/02/2025 07:28 PM (1 سنة منذ) |
|---|
| الاعتدال | 27/02/2025 09:47 AM (4 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 297829 [b1gMail حتى 7.4.1-pl1 Admin Page src/admin/users.php query/q تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|