CVE-2020-4043

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-4043
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-4043.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-4043
Aliases
Published
2020-06-10T20:15:14Z
Modified
2024-05-30T02:42:09.130592Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be regarded as very high. Newer phpMussel versions don't use PHP's phar wrapper, and are therefore unaffected. This has been fixed in version 1.6.0.

References

Affected packages

Git / github.com/phpmussel/phpmussel

Affected ranges

Type
GIT
Repo
https://github.com/phpmussel/phpmussel
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.1
v0.1.0
v0.1.1
v0.10.0
v0.1a
v0.2
v0.2.0
v0.2.1
v0.2a
v0.3
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3a
v0.3b
v0.3c
v0.3d
v0.3e
v0.3f
v0.3g
v0.3g.1
v0.4
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4a
v0.4b
v0.4c
v0.4d
v0.5
v0.5-r0.5.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5a
v0.5b
v0.5c
v0.6
v0.6.0
v0.6.1
v0.6a
v0.6b
v0.6b-r0.6b.1
v0.6b-r0.6b.2
v0.6c
v0.6d
v0.6e
v0.6f
v0.6g
v0.6h
v0.6i
v0.6j
v0.7
v0.7.0
v0.7.1
v0.7a
v0.8
v0.8.0
v0.9.0
v0.9.1

v1.*

v1.0.0
v1.1.0
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.5.0
v1.6.0