OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the parametersactivity:ActivityDataGrid parameter. The PHP object injection exploit chain can leverage an __destruct magic method in guzzlehttp.
Metrics
Affected Vendors & Products
References
History
No history.

Status: PUBLISHED
Assigner: mitre
Published: 2021-01-18T05:28:37
Updated: 2024-08-03T19:56:11.167Z
Reserved: 2021-01-18T00:00:00
Link: CVE-2021-25294

No data.

Status : Modified
Published: 2021-01-18T06:15:12.897
Modified: 2024-11-21T05:54:41.983
Link: CVE-2021-25294

No data.