CVE-2023-46817
CRITICALphpfox < 4.8.13 - Unauthenticated Remote Code Execution via Unserialize on URL Parameter
Title source: llmDescription
An issue was discovered in phpFox before 4.8.14. The url request parameter passed to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code.
References (5)
Core 5
Core References
Exploit, Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2023/Oct/30
Third Party Advisory
https://karmainsecurity.com/KIS-2023-12
Exploit, Third Party Advisory
https://karmainsecurity.com/pocs/CVE-2023-46817.php
Product
https://www.phpfox.com/blog/
Scores
CVSS v3
9.8
EPSS
0.0181
EPSS Percentile
75.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (1)
phpfox/phpfox
< 4.8.13
Published
Nov 03, 2023
Tracked Since
Feb 18, 2026