| タイトル | funadmin v7.1.0-rc4 Deserialization of Untrusted Data |
|---|
| 説明 | In app/common/service/AuthCloudService.php, the getMember function directly performs deserialization on the value of the cloud_account cookie (where $this->cloud_account_key defaults to cloud_account).
Because cookie data is fully user-controlled, this results in a critical insecure deserialization vulnerability.
By leveraging gadget chains provided by the League dependency, an attacker can achieve arbitrary file write, which may further lead to remote code execution.
According to
https://vuldb.com/zh/?submit.753975
, the application also suffers from an unauthorized backend XSS vulnerability.
An attacker can exploit this XSS vulnerability without authentication to automatically send crafted requests to sensitive backend endpoints. By chaining the unauthorized XSS with the insecure deserialization vulnerability, an attacker can trigger malicious requests on behalf of an administrator and ultimately achieve unauthorized remote code execution (RCE).
The following backend endpoints invoke the vulnerable getMember() method and can be abused in this attack chain:
/backend/addon/index
/backend/sys/upgrade/index
/backend/sys/upgrade/check
/backend/sys/upgrade/backup
/backend/sys/upgrade/install
Successful exploitation allows attackers to write arbitrary files, execute arbitrary code, and fully compromise the backend system without authentication. |
|---|
| ソース | ⚠️ https://github.com/I4m6da/CVE/issues/5 |
|---|
| ユーザー | I4m6da (UID 95320) |
|---|
| 送信 | 2026年02月07日 13:33 (4 月 ago) |
|---|
| モデレーション | 2026年02月20日 19:57 (13 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 347209 [funadmin 迄 7.1.0-rc4 Backend Endpoint AuthCloudService.php getMember cloud_account 特権昇格] |
|---|
| ポイント | 20 |
|---|