CVE-2017-7411

HIGH

Tuleap < 9.6 - Remote Code Execution via User::getRecentElements() Unserialize

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-7411. PoCs published by Metasploit, including Metasploit module exploits/unix/webapp/tuleap_rest_unserialize_exec.

AI-analyzed exploit summary This Metasploit module exploits a second-order PHP object injection vulnerability in Tuleap <= 9.6, allowing authenticated users to execute arbitrary PHP code via a crafted POP chain targeting the Mustache class and eval() in Transition_PostActionSubFactory.

Description

An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks (including but not limited to Remote Code Execution).

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/43374

View Code ZIP pw:eip

This Metasploit module exploits a second-order PHP object injection vulnerability in Tuleap <= 9.6, allowing authenticated users to execute arbitrary PHP code via a crafted POP chain targeting the Mustache class and eval() in Transition_PostActionSubFactory.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Tuleap <= 9.6

Auth required

Prerequisites: Valid Tuleap credentials · Access to an artifact ID

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/tuleap_rest_unserialize_exec.rb