CVE-2020-4043 HIGH

CVE-2020-4043: Phar unserialization vulnerability in phpMussel

Vendor Phpmussel

Product phpMussel

Weakness CWE-502 · Unsafe deserialization

Published June 10, 2020

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be regarded as very high. Newer phpMussel versions don't use PHP's phar wrapper, and are therefore unaffected. This has been fixed in version 1.6.0.

Key dates

02Disclosure timeline

June 10, 2020 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-4043 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

CVE-2020-4043: Phar unserialization vulnerability in phpMussel

01Description

02Disclosure timeline

03References

04Related CVE