CVE-2025-61505

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-61505
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61505.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-61505
Published
2025-10-10T19:15:38.257Z
Modified
2026-04-10T05:32:35.976665Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the install.php script. The script processes user-controlled input in the previous_steps POST parameter using unserialize(base64_decode()) without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.

References

Affected packages

Git / github.com/e107inc/e107

Affected ranges

Type
GIT
Repo
https://github.com/e107inc/e107
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
29b7e6d3b3e8936b590186b0f309f56f768a4958
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.3"
        }
    ]
}

Affected versions

v2.*
v2.0-beta1
v2.0alpha
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.3.0
v2.3.0-rc1
v2.3.1
v2.3.2
v2.3.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61505.json"