Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-23653: Remote code execution vulnerability · Issue #238 · zoujingli/ThinkAdmin

An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution.

CVE
#vulnerability#php#rce

Hi, this is Tencent Xcheck team. Our code safety check tool Xcheck has found several unserialize vulnerabilities in this project(v4, v5, v6). It leads to remote code execution. Here are the details.

v6

  1. app/admin/controller/api/Update.php
    line: 46 $this->rules = unserialize($this->request->post('rules’, 'a:0:{}’, ‘’));
    line: 47 $this->ignore = unserialize($this->request->post('ignore’, 'a:0:{}’, ‘’));

v6 v5 v4
2. app/wechat/controller/api/Push.php
line: 102 $this->receive = $this->toLower(unserialize($this->request->post('receive’, '’, null)));

Prevent from abusing of this vulnerability, we don’t provide proof of concept. We hope to repair it as soon as possible.

From Xcheck Team

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907