| عنوان | funadmin v7.1.0-rc4 Deserialization of Untrusted Data |
|---|
| الوصف | In app/common/service/AuthCloudService.php, the getMember function directly performs deserialization on the value of the cloud_account cookie (where $this->cloud_account_key defaults to cloud_account).
Because cookie data is fully user-controlled, this results in a critical insecure deserialization vulnerability.
By leveraging gadget chains provided by the League dependency, an attacker can achieve arbitrary file write, which may further lead to remote code execution.
According to
https://vuldb.com/zh/?submit.753975
, the application also suffers from an unauthorized backend XSS vulnerability.
An attacker can exploit this XSS vulnerability without authentication to automatically send crafted requests to sensitive backend endpoints. By chaining the unauthorized XSS with the insecure deserialization vulnerability, an attacker can trigger malicious requests on behalf of an administrator and ultimately achieve unauthorized remote code execution (RCE).
The following backend endpoints invoke the vulnerable getMember() method and can be abused in this attack chain:
/backend/addon/index
/backend/sys/upgrade/index
/backend/sys/upgrade/check
/backend/sys/upgrade/backup
/backend/sys/upgrade/install
Successful exploitation allows attackers to write arbitrary files, execute arbitrary code, and fully compromise the backend system without authentication. |
|---|
| المصدر | ⚠️ https://github.com/I4m6da/CVE/issues/5 |
|---|
| المستخدم | I4m6da (UID 95320) |
|---|
| ارسال | 07/02/2026 01:33 PM (4 أشهر منذ) |
|---|
| الاعتدال | 20/02/2026 07:57 PM (13 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 347209 [funadmin حتى 7.1.0-rc4 Backend Endpoint AuthCloudService.php getMember cloud_account تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|