| 제목 | funadmin v7.1.0-rc4 Deserialization of Untrusted Data |
|---|
| 설명 | In app/common/service/AuthCloudService.php, the getMember function directly performs deserialization on the value of the cloud_account cookie (where $this->cloud_account_key defaults to cloud_account).
Because cookie data is fully user-controlled, this results in a critical insecure deserialization vulnerability.
By leveraging gadget chains provided by the League dependency, an attacker can achieve arbitrary file write, which may further lead to remote code execution.
According to
https://vuldb.com/zh/?submit.753975
, the application also suffers from an unauthorized backend XSS vulnerability.
An attacker can exploit this XSS vulnerability without authentication to automatically send crafted requests to sensitive backend endpoints. By chaining the unauthorized XSS with the insecure deserialization vulnerability, an attacker can trigger malicious requests on behalf of an administrator and ultimately achieve unauthorized remote code execution (RCE).
The following backend endpoints invoke the vulnerable getMember() method and can be abused in this attack chain:
/backend/addon/index
/backend/sys/upgrade/index
/backend/sys/upgrade/check
/backend/sys/upgrade/backup
/backend/sys/upgrade/install
Successful exploitation allows attackers to write arbitrary files, execute arbitrary code, and fully compromise the backend system without authentication. |
|---|
| 원천 | ⚠️ https://github.com/I4m6da/CVE/issues/5 |
|---|
| 사용자 | I4m6da (UID 95320) |
|---|
| 제출 | 2026. 02. 07. PM 01:33 (4 개월 ago) |
|---|
| 모더레이션 | 2026. 02. 20. PM 07:57 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 347209 [funadmin 까지 7.1.0-rc4 Backend Endpoint AuthCloudService.php getMember cloud_account 권한 상승] |
|---|
| 포인트들 | 20 |
|---|