Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTMyd3ItOHd4bS04NTJj

Critical CVSS: 9.8 EPSS: 0.00681% (0.70838 Percentile) EPSS:
Permalink JSON

Deserialization of Untrusted Data in NukeViet

Affected Packages Affected Versions Fixed Versions
packagist:nukeviet/nukeviet < 4.3.04 4.3.04
0 Dependent packages
0 Dependent repositories
3 Downloads total

Affected Version Ranges

All affected versions

4.0.24

All unaffected versions

4.4.01

includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).

References:

Identifiers

GHSA-32wr-8wxm-852c

CVE-2019-7725

Risk

Severity

Critical

CVSS

CVSS Score: 9.8

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

EPSS Percentage: 0.00681

EPSS Percentile: 0.70838

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/nukeviet/nukeviet
View on Ecosyste.ms

Date and time

Published

over 4 years ago

Updated

18 days ago

API

JSON