Deserialization of Untrusted Data Vulnerability Affects PMB
CVE-2024-26289

9.8CRITICAL

Key Information:

Vendor: Pmb Services
Status: Pmb
Vendor: CVE Published:; 27 May 2024

🔔 Create Pmb Services Vulnerability Alert

Badges

📰 News Worthy

What is CVE-2024-26289?

A deserialization of untrusted data vulnerability exists in PMB Services, allowing for potential remote code inclusion. This issue is found in specific versions including PMB 7.5.1 prior to 7.5.6-2, PMB 7.4.1 prior to 7.4.9, and PMB 7.3.1 prior to 7.3.18. Attackers could exploit this vulnerability to execute arbitrary code, leading to unauthorized access and possible system compromise. It is essential for organizations using affected versions to apply patches and updates promptly to mitigate the associated risks.

Affected Version(s)

PMB 7.5.1 < 7.5.6-2

PMB 7.4.1 < 7.4.9

PMB 7.3.1 < 7.3.18

News Articles

prophaze.com

CVE-2024-26289

CVE-2024-26289 : PMB UP TO 7.3.17/7.4.8/7.5.6-1 DESERIALIZATION - Cloud WAF

CVE-2024-26289 : Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18.

References

https://github.com/enisaeu/CNW/blob/main/advisories/2024/...

third-party-advisory

https://forge.sigb.net/projects/pmb/files

product

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by prophaze.com
May 27, 2024
Vulnerability published
May 27, 2024
Vulnerability Reserved
Feb 16, 2024

Credit

Johan Caluwe from CCB / CERT.be

ANSSI / CERT-FR