CVE-2023-6654

MEDIUM

PHPEMS 6.x/7.x/8.x/9.0 - Deserialization

Title source: llm

Description

A vulnerability classified as critical was found in PHPEMS 6.x/7.x/8.x/9.0. Affected by this vulnerability is an unknown functionality in the library lib/session.cls.php of the component Session Data Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247357 was assigned to this vulnerability.

Exploits (1)

nomisec WORKING POC 2 stars

by qfmy1024 · poc

https://github.com/qfmy1024/CVE-2023-6654

View Code ZIP pw:eip

References (3)

[Permissions Required] https://note.zhaoj.in/share/jw4Hp9cq7T69

[Permissions Required, Third Party Advisory, VDB Entry] https://vuldb.com/?ctiid.247357

[Permissions Required, Third Party Advisory, VDB Entry] https://vuldb.com/?id.247357

Scores

CVSS v3 6.3

EPSS 0.0236

EPSS Percentile 85.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-502

Status published

Products (3)

phpems/phpems 6.0

phpems/phpems 7.0

phpems/phpems 6.0.0Packagist

Published Dec 10, 2023

Tracked Since Feb 18, 2026