Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4801 vulnerabilities reference this CWE, most recent first.

GHSA-VJ2F-C594-7C7C

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-16T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors.",
  "id": "GHSA-vj2f-c594-7c7c",
  "modified": "2022-05-24T17:34:22Z",
  "published": "2022-05-24T17:34:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5664"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU92053563/index.html"
    },
    {
      "type": "WEB",
      "url": "https://xoonips.osdn.jp/modules/news/index.php?page=article\u0026storyid=13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VJ3M-2G9H-VM4P

Vulnerability from github – Published: 2026-05-05 21:29 – Updated: 2026-05-05 21:29
VLAI
Summary
Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass
Details

Multiple RCE vectors were found in Grav CMS. Three are critical, two are high.

1. Unsafe unserialize() in JobQueue — direct RCE gadget (Critical)

system/src/Grav/Common/Scheduler/JobQueue.php:465 calls unserialize(base64_decode(...)) without restricting allowed_classes. The Job class has call_user_func_array($this->command, $this->args) in its execution path, which is a direct gadget chain — inject a serialized Job with command = 'system' and args = ['whoami'].

The same codebase actually has a Serializable trait that correctly restricts classes, so this inconsistency stands out.

2. Unsafe unserialize() in FileCache — arbitrary class instantiation (Critical)

system/src/Grav/Framework/Cache/Adapter/FileCache.php:75 does unserialize($value, ['allowed_classes' => true]). That true allows instantiation of any class. If an attacker can write to the cache directory (via any file write primitive), they get object injection → RCE.

3. Unsafe unserialize() in Session (High)

system/src/Grav/Common/Session.php:116 — same allowed_classes => true pattern on session data. Lower severity since session storage is typically more restricted.

4. Command injection in git clone (Critical)

system/src/Grav/Console/Cli/InstallCommand.php:150 — only $this->destination uses escapeshellarg(). The $data['branch'], $data['url'], and $data['path'] variables go directly into the shell command without escaping. Admin-accessible via plugin/theme installation.

5. SSTI blocklist bypass (High)

system/src/Grav/Common/Security.php:267-286cleanDangerousTwig() blocks twig_array_map and twig_array_filter but not twig_array_reduce. Also missing file_get_contents and fwrite from the dangerous function blocklist. An attacker who can inject Twig templates can bypass the security filter.

All five are independently exploitable. The unserialize issues are the most concerning since they don't require admin access if there's any file write primitive.

— ProScan AppSec | proscan.one


Maintainer note — fix applied (2026-04-24)

Fixed in Grav core on the 2.0 branch: commit c66dfeb5f (items #1, #2, #3, #4) and commit 38685ac25 + c66dfeb5f (item #5) — ships in 2.0.0-beta.2.

All five vectors addressed:

  1. Scheduler\JobQueue unsafe unserializeserialized_job now carries a sibling serialized_job_hmac signed with Security::getNonceKey(). reconstructJob refuses to unserialize an item whose HMAC is missing/mismatched and falls through to the safe structured-fields rebuild. A tampered queue file can no longer smuggle a forged Job for direct RCE via Job::exec → call_user_func_array.
    system/src/Grav/Common/Scheduler/JobQueue.php

  2. FileCache unsafe unserialize — same HMAC-integrity approach; see separate GHSA-gwfr-jfjf-92vv.
    system/src/Grav/Framework/Cache/Adapter/FileCache.php

  3. Session::getFlashObject unsafe unserialize — payload now wrapped in a v2|<hmac>|<serialized> envelope; legacy/forged envelopes return null instead of triggering unserialize.
    system/src/Grav/Common/Session.php

  4. InstallCommand git clone shell injectionbranch, url, and path values read from user/.dependencies are now passed through escapeshellarg, with a -- separator before url/path to block option-injection (e.g. --upload-pack=evil).
    system/src/Grav/Console/Cli/InstallCommand.php

  5. SSTI blocklist bypasstwig_array_reduce (the specific name called out) plus twig_array_some and twig_array_every added to cleanDangerousTwig's CALLABLE_DANGEROUS_NAMES alongside the existing twig_array_map/filter. More importantly, the new Twig content sandbox in 2.0.0-beta.2 blocks this class of attack at a different layer — see the sandbox work in 38685ac25.
    system/src/Grav/Common/Security.php

Tests: - tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php — 8 cases covering JobQueue + Session HMAC integrity. - tests/unit/Grav/Common/Security/FileCacheSecurityTest.php. - tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php — new twig_array_* entries in providerCallbackFunctions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:29:02Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Multiple RCE vectors were found in Grav CMS. Three are critical, two are high.\n\n**1. Unsafe unserialize() in JobQueue \u2014 direct RCE gadget (Critical)**\n\n`system/src/Grav/Common/Scheduler/JobQueue.php:465` calls `unserialize(base64_decode(...))` without restricting `allowed_classes`. The `Job` class has `call_user_func_array($this-\u003ecommand, $this-\u003eargs)` in its execution path, which is a direct gadget chain \u2014 inject a serialized `Job` with `command = \u0027system\u0027` and `args = [\u0027whoami\u0027]`.\n\nThe same codebase actually has a `Serializable` trait that correctly restricts classes, so this inconsistency stands out.\n\n**2. Unsafe unserialize() in FileCache \u2014 arbitrary class instantiation (Critical)**\n\n`system/src/Grav/Framework/Cache/Adapter/FileCache.php:75` does `unserialize($value, [\u0027allowed_classes\u0027 =\u003e true])`. That `true` allows instantiation of any class. If an attacker can write to the cache directory (via any file write primitive), they get object injection \u2192 RCE.\n\n**3. Unsafe unserialize() in Session (High)**\n\n`system/src/Grav/Common/Session.php:116` \u2014 same `allowed_classes =\u003e true` pattern on session data. Lower severity since session storage is typically more restricted.\n\n**4. Command injection in git clone (Critical)**\n\n`system/src/Grav/Console/Cli/InstallCommand.php:150` \u2014 only `$this-\u003edestination` uses `escapeshellarg()`. The `$data[\u0027branch\u0027]`, `$data[\u0027url\u0027]`, and `$data[\u0027path\u0027]` variables go directly into the shell command without escaping. Admin-accessible via plugin/theme installation.\n\n**5. SSTI blocklist bypass (High)**\n\n`system/src/Grav/Common/Security.php:267-286` \u2014 `cleanDangerousTwig()` blocks `twig_array_map` and `twig_array_filter` but not `twig_array_reduce`. Also missing `file_get_contents` and `fwrite` from the dangerous function blocklist. An attacker who can inject Twig templates can bypass the security filter.\n\nAll five are independently exploitable. The unserialize issues are the most concerning since they don\u0027t require admin access if there\u0027s any file write primitive.\n\n\u2014 ProScan AppSec | proscan.one\n\n\n---\n\n## Maintainer note \u2014 fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`c66dfeb5f`](https://github.com/getgrav/grav/commit/c66dfeb5f) (items #1, #2, #3, #4) and commit [`38685ac25`](https://github.com/getgrav/grav/commit/38685ac25) + [`c66dfeb5f`](https://github.com/getgrav/grav/commit/c66dfeb5f) (item #5) \u2014 ships in **2.0.0-beta.2**.\n\nAll five vectors addressed:\n\n1. **Scheduler\\JobQueue unsafe unserialize** \u2014 `serialized_job` now carries a sibling `serialized_job_hmac` signed with `Security::getNonceKey()`. `reconstructJob` refuses to unserialize an item whose HMAC is missing/mismatched and falls through to the safe structured-fields rebuild. A tampered queue file can no longer smuggle a forged `Job` for direct RCE via `Job::exec \u2192 call_user_func_array`.  \n   \u2192 [`system/src/Grav/Common/Scheduler/JobQueue.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Scheduler/JobQueue.php)\n\n2. **FileCache unsafe unserialize** \u2014 same HMAC-integrity approach; see separate GHSA-gwfr-jfjf-92vv.  \n   \u2192 [`system/src/Grav/Framework/Cache/Adapter/FileCache.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Framework/Cache/Adapter/FileCache.php)\n\n3. **Session::getFlashObject unsafe unserialize** \u2014 payload now wrapped in a `v2|\u003chmac\u003e|\u003cserialized\u003e` envelope; legacy/forged envelopes return null instead of triggering `unserialize`.  \n   \u2192 [`system/src/Grav/Common/Session.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Session.php)\n\n4. **InstallCommand `git clone` shell injection** \u2014 `branch`, `url`, and `path` values read from `user/.dependencies` are now passed through `escapeshellarg`, with a `--` separator before url/path to block option-injection (e.g. `--upload-pack=evil`).  \n   \u2192 [`system/src/Grav/Console/Cli/InstallCommand.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Console/Cli/InstallCommand.php)\n\n5. **SSTI blocklist bypass** \u2014 `twig_array_reduce` (the specific name called out) plus `twig_array_some` and `twig_array_every` added to `cleanDangerousTwig`\u0027s `CALLABLE_DANGEROUS_NAMES` alongside the existing `twig_array_map`/`filter`. More importantly, the new Twig content sandbox in 2.0.0-beta.2 blocks this class of attack at a different layer \u2014 see the sandbox work in [`38685ac25`](https://github.com/getgrav/grav/commit/38685ac25).  \n   \u2192 [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php)\n\n**Tests:**\n- [`tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php) \u2014 8 cases covering JobQueue + Session HMAC integrity.\n- [`tests/unit/Grav/Common/Security/FileCacheSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/FileCacheSecurityTest.php).\n- [`tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php) \u2014 new `twig_array_*` entries in `providerCallbackFunctions`.",
  "id": "GHSA-vj3m-2g9h-vm4p",
  "modified": "2026-05-05T21:29:02Z",
  "published": "2026-05-05T21:29:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass"
}

GHSA-VJ47-XVV7-VCR5

Vulnerability from github – Published: 2023-12-20 15:30 – Updated: 2026-04-28 21:33
VLAI
Details

Deserialization of Untrusted Data vulnerability in Master Slider Master Slider Pro.This issue affects Master Slider Pro: from n/a through 3.6.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-20T14:15:21Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Master Slider Master Slider Pro.This issue affects Master Slider Pro: from n/a through 3.6.5.",
  "id": "GHSA-vj47-xvv7-vcr5",
  "modified": "2026-04-28T21:33:27Z",
  "published": "2023-12-20T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47507"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/masterslider/wordpress-master-slider-pro-plugin-3-6-5-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ7V-2RFM-6P53

Vulnerability from github – Published: 2023-01-31 00:30 – Updated: 2023-02-07 21:30
VLAI
Details

A CWE 502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. Affected Products: Data Center Expert (Versions prior to V7.9.0)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-30T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A CWE 502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. Affected Products: Data Center Expert (Versions prior to V7.9.0)",
  "id": "GHSA-vj7v-2rfm-6p53",
  "modified": "2023-02-07T21:30:23Z",
  "published": "2023-01-31T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32521"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-04_+Data_Center_Expert_Security_Notification.pdf\u0026p_Doc_Ref=SEVD-2022-165-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ9V-J9W9-C282

Vulnerability from github – Published: 2026-07-13 12:35 – Updated: 2026-07-13 12:35
VLAI
Details

Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This issue affects 777: from n/a through <= 1.13.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T10:16:40Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This issue affects 777: from n/a through \u003c= 1.13.0.",
  "id": "GHSA-vj9v-j9w9-c282",
  "modified": "2026-07-13T12:35:04Z",
  "published": "2026-07-13T12:35:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57738"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/triple-seven/vulnerability/wordpress-777-theme-1-13-0-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJF3-755P-P4FR

Vulnerability from github – Published: 2025-12-18 09:30 – Updated: 2026-01-20 15:32
VLAI
Details

Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T08:16:11Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through \u003c= 7.6.0.",
  "id": "GHSA-vjf3-755p-p4fr",
  "modified": "2026-01-20T15:32:31Z",
  "published": "2025-12-18T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64206"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-php-object-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJH6-VPH2-J2Q4

Vulnerability from github – Published: 2025-07-19 06:30 – Updated: 2025-07-19 06:30
VLAI
Details

The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-19T05:15:22Z",
    "severity": "CRITICAL"
  },
  "details": "The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.",
  "id": "GHSA-vjh6-vph2-j2q4",
  "modified": "2025-07-19T06:30:57Z",
  "published": "2025-07-19T06:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7696"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/integration-for-contact-form-7-and-pipedrive/tags/1.2.3/integration-for-contact-form-7-and-pipedrive.php#L953"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3329002"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/integration-for-contact-form-7-and-pipedrive/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6980112b-a555-47a4-b2d7-f0187d52fc63?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJPG-WM6M-CJG7

Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2025-01-16 18:30
VLAI
Details

In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1856"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-20T13:15:15Z",
    "severity": "HIGH"
  },
  "details": "\nIn Progress\u00ae Telerik\u00ae Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability.",
  "id": "GHSA-vjpg-wm6m-cjg7",
  "modified": "2025-01-16T18:30:57Z",
  "published": "2024-03-20T15:32:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1856"
    },
    {
      "type": "WEB",
      "url": "https://docs.telerik.com/reporting/knowledge-base/deserialization-vulnerability-cve-2024-1801-cve-2024-1856"
    },
    {
      "type": "WEB",
      "url": "https://www.telerik.com/products/reporting.aspx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJRH-7RVQ-8GHW

Vulnerability from github – Published: 2025-07-11 06:30 – Updated: 2026-01-23 22:06
VLAI
Details

The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T06:15:24Z",
    "severity": "MODERATE"
  },
  "details": "The communication protocol used between the\nserver process and the service control had a flaw that could lead to a local privilege escalation.",
  "id": "GHSA-vjrh-7rvq-8ghw",
  "modified": "2026-01-23T22:06:23Z",
  "published": "2025-07-11T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30025"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/40/0e/03/cve-2025-30025pdf-en-US-485736.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/f2/28/d2/cve-2025-30025pdf-en-US-517962.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VM3J-G376-5MPF

Vulnerability from github – Published: 2023-01-10 18:30 – Updated: 2023-01-13 15:30
VLAI
Details

Spitfire CMS 1.0.475 is vulnerable to PHP Object Injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-10T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Spitfire CMS 1.0.475 is vulnerable to PHP Object Injection.",
  "id": "GHSA-vm3j-g376-5mpf",
  "modified": "2023-01-13T15:30:26Z",
  "published": "2023-01-10T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47083"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5720.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.