| Titel | funadmin v7.1.0-rc4 Deserialization of Untrusted Data |
|---|
| Beschreibung | In app/common/service/AuthCloudService.php, the getMember function directly performs deserialization on the value of the cloud_account cookie (where $this->cloud_account_key defaults to cloud_account).
Because cookie data is fully user-controlled, this results in a critical insecure deserialization vulnerability.
By leveraging gadget chains provided by the League dependency, an attacker can achieve arbitrary file write, which may further lead to remote code execution.
According to
https://vuldb.com/zh/?submit.753975
, the application also suffers from an unauthorized backend XSS vulnerability.
An attacker can exploit this XSS vulnerability without authentication to automatically send crafted requests to sensitive backend endpoints. By chaining the unauthorized XSS with the insecure deserialization vulnerability, an attacker can trigger malicious requests on behalf of an administrator and ultimately achieve unauthorized remote code execution (RCE).
The following backend endpoints invoke the vulnerable getMember() method and can be abused in this attack chain:
/backend/addon/index
/backend/sys/upgrade/index
/backend/sys/upgrade/check
/backend/sys/upgrade/backup
/backend/sys/upgrade/install
Successful exploitation allows attackers to write arbitrary files, execute arbitrary code, and fully compromise the backend system without authentication. |
|---|
| Quelle | ⚠️ https://github.com/I4m6da/CVE/issues/5 |
|---|
| Benutzer | I4m6da (UID 95320) |
|---|
| Einreichung | 07.02.2026 13:33 (vor 4 Monaten) |
|---|
| Moderieren | 20.02.2026 19:57 (13 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 347209 [funadmin bis 7.1.0-rc4 Backend Endpoint AuthCloudService.php getMember cloud_account erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|