GHSA-5rv2-vvmf-f7w8

Source

https://github.com/advisories/GHSA-5rv2-vvmf-f7w8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5rv2-vvmf-f7w8/GHSA-5rv2-vvmf-f7w8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5rv2-vvmf-f7w8

Aliases

CVE-2023-6654

Published

2023-12-10T15:30:31Z

Modified

2024-02-16T08:10:09.725583Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

PHPEMS Deserialization of Untrusted Data vulnerability

Details

A vulnerability classified as critical was found in PHPEMS 6.x/7.0. Affected by this vulnerability is an unknown functionality in the library lib/session.cls.php of the component Session Data Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247357 was assigned to this vulnerability.

Database specific

{
    "nvd_published_at": "2023-12-10T15:15:07Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-11T19:39:47Z"
}

References

Affected packages

Packagist / phpems/phpems

Package

Name: phpems/phpems
Purl: pkg:composer/phpems/phpems

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Last affected

6.1.3

Affected versions

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.2.1

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

v6.0.10

v6.1.0

v6.1.1

v6.1.2

v6.1.3