CVE-2020-24036Deserialization of Untrusted Data in Fork CMS

CWE-502Deserialization of Untrusted DataCWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes2 documents2 sources
Severity
8.8HIGHNVD
EPSS
1.0%
top 22.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fork-cms Fork CMS
Timeline
PublishedMar 4
Latest updateMay 24

Description

PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

NVDfork-cms/fork_cms< 5.8.3

Patches

Patch: tech.feedyourhead.atPatch: www.ait.ac.atPatch: tech.feedyourhead.at

🔴Vulnerability Details

1
GHSA
GHSA-xvr9-jr9p-grf3: PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 52022-05-24
CVE-2020-24036 — Deserialization of Untrusted Data | cvebase