CVE-2024-1353 MEDIUM

CVE-2024-1353: PHPEMS index.api.php index deserialization

Vendor N/A

Product PHPEMS

Weakness CWE-502 · Unsafe deserialization

Published February 9, 2024

Last update May 8, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A vulnerability, which was classified as critical, has been found in PHPEMS up to 1.0. Affected by this issue is the function index of the file app/weixin/controller/index.api.php. The manipulation of the argument picurl leads to deserialization. The exploit has been disclosed to the public and may be used. VDB-253226 is the identifier assigned to this vulnerability.

Key dates

02Disclosure timeline

February 9, 2024 CVE published

May 8, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1353 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

04Related CVE

CVE-2023-52205 WordPress HTML5 SoundCloud Player Plugin <= 2.8.0 is vulnerable to PHP Object Injection CVE-2025-10363 Unauthenticated RCE via .NET Deserialization in Topal Finance Software CVE-2025-52827 WordPress Nuss theme <= 1.3.3 - PHP Object Injection Vulnerability CVE-2024-3301 Post-authentication Unsafe .NET object deserialization vulnerability affecting DELMIA Apriso Release 2019 through Release 2024 CVE-2024-4733 ShiftController Employee Shift Scheduling <= 4.9.57 - Authenticated (Contributor+) PHP Object Injection