cbcvebase.
CVE-2016-4010
published 2017-01-23

CVE-2016-4010: Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
92.87%
99.8th percentile
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.

Affected

1 ranges
VendorProductVersion rangeFixed in
magentomagento<= 2.0.5

Detection & IOCsextracted from sources · hover to see the quote

commandphpinfo
otherpaymentMethod.additional_data.additional_information (serialized PHP object payload)
  • Monitor POST requests to /rest/default/V1/guest-carts/*/shipping-information for serialized PHP object payloads in the `additional_information` field of the JSON body, particularly containing class names such as Magento\Framework\DB\Transaction, Magento\Sales\Model\Order\Payment\Transaction, or Magento\Framework\Simplexml\Config\Cache\File.
  • Detect PHP object injection via crafted serialized shopping cart data submitted to the Magento REST API endpoint for guest cart shipping information.
  • Alert on the presence of Magento PHP object injection gadget chain class names (e.g., Magento\Framework\DB\Transaction, Credis_Client, Magento\Framework\Simplexml\Config\Cache\File) within HTTP request bodies to Magento REST endpoints.
  • This vulnerability is exploitable via the Metasploit module exploits/multi/http/magento_unserialize; detect exploitation attempts matching this module's traffic patterns against Magento 2.0.6 or prior.
  • The exploit uses payment method 'checkmo' as the delivery vehicle; flag POST requests to shipping-information endpoints where paymentMethod.method is 'checkmo' and additional_information contains serialized PHP data.
  • ·The payment method used to deliver the payload ('checkmo') may vary per Magento installation; defenders should not rely solely on this value for detection.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.