ShiftController Employee Shift Scheduling Plugin Vulnerable to PHP Object Injection via Deserialization

CVE-2024-4733

7.5HIGH

Key Information

Vendor: Plainware
Status: Shiftcontroller Employee Shift Scheduling
Vendor: CVE Published:; 16 May 2024

Summary

The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the `hc3_session`-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or above to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affected Version(s)

ShiftController Employee Shift Scheduling <= 4.9.57

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Disclosed
May 16, 2024
Vulnerability published.
May 16, 2024
Vulnerability Reserved.
May 10, 2024

Collectors

NVD DatabaseMitre Database

Credit

Peter Thaleikis