| タイトル | b1gMail-OSS b1gMail 7.4.1-pl1 Deserialization |
|---|
| 説明 | b1gMail OSS has a PHP Object Injection vulnerability as a result of Deserialization of Untrusted Data.
(POP/) Gadget Chains exist in b1gMail (and its libraries) which allow Object Injection vulnerabilities to be exploited, for example to delete arbitrary files. Other attacks may be possible depending on what plugins are installed.
The vulnerability is mitigated by the fact that the vulnerable functionality is in an admin page, access to which is restricted to administrators.
Because the vulnerability can be exploited via a GET request, it may be possible to conduct such an attack via Cross Site Scripting (XSS) or a similar vector.
The vulnerability is fixed in b1gMail 7.4.1 Patch Level 2 |
|---|
| ソース | ⚠️ https://gist.github.com/mcdruid/cb0b848c12fd6a6bc0c1b3357b983d30 |
|---|
| ユーザー | mcdruid (UID 79710) |
|---|
| 送信 | 2025年02月23日 19:28 (1 年 ago) |
|---|
| モデレーション | 2025年02月27日 09:47 (4 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 297829 [b1gMail 迄 7.4.1-pl1 Admin Page src/admin/users.php query/q 特権昇格] |
|---|
| ポイント | 20 |
|---|