إرسال #798732: Trilby Media Grav CMS >= 1.7.44, <= 1.7.49.5 Deserializationالمعلومات

عنوانTrilby Media Grav CMS >= 1.7.44, <= 1.7.49.5 Deserialization
الوصف## Description `FileCache::doGet()` deserializes cached values with `unserialize(..., ['allowed_classes' => true])`. If cache files are attacker-controlled, this allows object instantiation and enables object-injection primitives. ## Impact Potential object injection and possible code execution through gadget chains, when cache storage tampering is possible. ## Mitigation - Avoid object deserialization for cache data; use strict JSON/primitive formats. - Enforce integrity controls and strict permissions on cache directories. - If deserialization is required, use a strict class allowlist.
المصدر⚠️ https://github.com/devsamuelsantiago/grav-cms-filecache-object-injection
المستخدم
 s4nnty (UID 95917)
ارسال07/04/2026 05:09 PM (2 أشهر منذ)
الاعتدال28/04/2026 03:13 PM (21 days later)
الحالةتمت الموافقة
إدخال VulDB359965 [Grav CMS حتى 1.7.49.5/2.0.0-beta.1 Cache Value FileCache.php FileCache::doGet تجاوز الصلاحيات]
النقاط20

التالي نظرة عامة السابق

Want to know what is going to be exploited?

We predict KEV entries!