CVE-2020-4043
HIGHphpMussel 1.0.0-1.5.9 - Remote Code Execution via PHAR Deserialization
Title source: llmDescription
phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be regarded as very high. Newer phpMussel versions don't use PHP's phar wrapper, and are therefore unaffected. This has been fixed in version 1.6.0.
References (5)
Core 5
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/phpMussel/phpMussel/security/advisories/GHSA-qr95-4mq5-r3fh
Patch, Third Party Advisory x_refsource_misc
https://github.com/phpMussel/phpMussel/issues/167
Patch, Third Party Advisory x_refsource_misc
https://github.com/phpMussel/phpMussel/pull/173
Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/phpMussel/phpMussel/commit/97f25973433921c1f953430f32d3081adc4851a4
Third Party Advisory x_refsource_misc
https://github.com/phpMussel/phpMussel/security/policy#currently-known-vulnerabilities
Scores
CVSS v3
7.7
EPSS
0.0260
EPSS Percentile
83.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Details
CWE
CWE-502
Status
published
Products (3)
maikuolan/phpmussel
1.0.0 - 1.6.0Packagist
phpmussel/phpmussel
1.0.0 - 1.6.0Packagist
phpmussel_project/phpmussel
1.0.0 - 1.6.0
Published
Jun 10, 2020
Tracked Since
Feb 18, 2026