Deserialization Vulnerability in PHPEMS Affecting Web Applications
CVE-2024-1353

6.3MEDIUM

Key Information:

Vendor

PHPEMS

Status
PHPms
Vendor
CVE Published:
9 February 2024

Badges

👾 Exploit Exists

What is CVE-2024-1353?

A deserialization vulnerability exists within the PHPEMS web application, specifically in the index function of the app/weixin/controller/index.api.php file. By manipulating the 'picurl' argument, attackers can exploit the flaw to execute unauthorized actions. This vulnerability exposes web applications to various security risks, enabling malicious entity operations that could lead to significant data breaches. With public disclosure of this exploit, users of PHPEMS are strongly advised to implement corrective measures and ensure their systems are updated to mitigate the risks associated with this vulnerability.

Affected Version(s)

PHPEMS 1.0

References

https://vuldb.com/?id.253226
vdb-entrytechnical-description
https://vuldb.com/?ctiid.253226
signaturepermissions-required
https://note.zhaoj.in/share/nxGzfEB6fFVY
exploit

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

glzjin (VulDB User)
JSON
.
CVE-2024-1353 : Deserialization Vulnerability in PHPEMS Affecting Web Applications