What the vulnerability does
01Description
Shop manager PHP Object Injection in YayMail <= 4.3.3 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Shop manager PHP Object Injection in YayMail <= 4.3.3 versions.
Explanation of Vulnerability in Simple Terms
YayMail versions up to 4.3.3 contain a deserialization vulnerability that allows high-privileged users to execute arbitrary code on the site. An attacker with admin or equivalent access can craft malicious serialized data to trigger code execution. Update to version 4.4.2 or later to patch this issue.
What an attacker can do
Run arbitrary code on the site with full server access.
Potential impact on your site
A compromised admin account can lead to complete site takeover, data theft, or malware installation.
Conditions required to exploit
Attacker must have high-level admin or equivalent privileges on the site.
Key dates
External resources
Related vulnerabilities