cbcvebase.
CVE-2024-23759
published 2024-02-12

CVE-2024-23759: Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
47.83%
98.7th percentile
Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.

Affected

1 ranges
VendorProductVersion rangeFixed in
gambiogambio

Detection & IOCsextracted from sources · hover to see the quote

url/shop.php?do=Parcelshopfinder/AddAddressBookEntry
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Gambio E-Commerce Suite Deserialization of Untrusted Data (CVE-2024-23759)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/shop.php?do=Parcelshopfinder/AddAddressBookEntry"; fast_pattern; http.header_names; content:"|0d 0a|Cookie|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; content:"|0d 0a|Content-Type|0d 0a|"; http.request_body; content:"checkout_started|3d|0&search|3d|"; startswith; base64_decode:bytes 30, offset 0, relative; base64_data; content:"GuzzleHttp"; reference:url,attackerkb.com/topics/cxCsICfcDY/cve-2024-23759; reference:cve,2024-23759; classtype:attempted-admin; sid:2051956; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_04_08, cve CVE_2024_23759, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_11, reviewed_at 2024_10_03; target:dest_ip;)
bytes
checkout_started=0&search= (URL-encoded: checkout_started|3d|0&search|3d|) at start of POST body
bytes
GuzzleHttp (base64-decoded within first 30 bytes of search parameter)
  • Exploit arrives as an unauthenticated HTTP POST request to /shop.php?do=Parcelshopfinder/AddAddressBookEntry — no session or authentication cookie is required.
  • POST body begins with 'checkout_started=0&search=' where the value of the 'search' parameter is a base64-encoded PHP serialized payload; inspect the first 30 decoded bytes for the 'GuzzleHttp' gadget chain marker.
  • The exploit targets the Parcelshopfinder/AddAddressBookEntry function via the 'search' parameter — alert on any POST to this endpoint from untrusted/external sources.
  • The deserialization payload leverages the GuzzleHttp gadget chain; presence of 'GuzzleHttp' in base64-decoded POST body content is a high-confidence indicator of exploitation.
  • Metasploit module exists for this CVE (gambio_unauth_rce_cve_2024_23759.rb), meaning commodity exploitation tooling is available; expect automated scanning.
  • ·The Snort/Suricata rule (ET sid:2051956) includes a 'tls_state TLSDecrypt' metadata tag and a 'deployment SSLDecrypt' tag, meaning it will only fire on TLS-encrypted traffic if SSL inspection/decryption is enabled on the sensor.
  • ·The rule uses 'http1' as the protocol keyword, meaning it applies only to HTTP/1.x traffic and will not match HTTP/2 connections without additional tuning.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.