⚠ Actively exploited
Added to CISA KEV on 2024-01-16. Federal agencies required to patch by 2024-02-06. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2018-15133 — Deserialization of Untrusted Data in Framework
Severity
8.1HIGHNVD
OSV5.5
EPSS
83.3%
top 0.73%
CISA KEV
KEV
Added 2024-01-16
Due 2024-02-06
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedAug 9
KEV addedJan 16
Latest updateFeb 1
KEV dueFeb 6
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a pre…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9
Affected Packages4 packages
🔴Vulnerability Details
4💥Exploits & PoCs
2📋Vendor Advisories
2🕵️Threat Intelligence
3Tenable▶
Cybersecurity Snapshot: Critical Infrastructure Orgs Cautioned About Chinese Drones, While Water Plants Advised To Boost Incident Response↗2024-01-19