What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6.
Explanation of Vulnerability in Simple Terms
Events Manager versions up to 7.3.6 contain a deserialization vulnerability that allows attackers to execute arbitrary code on the site. An attacker can craft a malicious serialized object that, when deserialized by the application, executes code with full site privileges. The vulnerability requires user interaction—typically a victim must click a link or visit a page—but no authentication is needed.
What an attacker can do
Run their own code on the site with full privileges, read/modify data, or take over the site.
Potential impact on your site
Complete site compromise possible. Attacker can steal data, modify content, create admin accounts, or inject malware.
Conditions required to exploit
Victim must click a malicious link or visit an attacker-controlled page; no login required.
Key dates
External resources
Related vulnerabilities