Main Vulnerability Database Vulnerabilities #VU27474

Deserialization of Untrusted Data in Subrion CMS - CVE-2020-12469

Published: April 30, 2020

Vulnerability identifier: #VU27474

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-12469

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Intelliants

Affected software:
Subrion CMS

Detailed vulnerability description

The vulnerability allows a remote attacker to delete arbitrary files.

The vulnerability exists in "admin/blocks.php" file due to insecure input validation when processing serialized data in the subpages value within a block to blocks/edit. A remote authenticated attacker can pass specially crafted data to the application, cause PHP Object Injection and delete arbitrary files on the target system.

How to mitigate CVE-2020-12469

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://github.com/belong2yourself/vulnerabilities/tree/master/Subrion%20CMS/Insecure%20Deserialization/Subpages%20-%20Authenticated%20PHP%20Object%20Injection

Deserialization of Untrusted Data in Subrion CMS - CVE-2020-12469

Detailed vulnerability description

How to mitigate CVE-2020-12469

Sources

Please verify you're human