CVE-2019-5069
Description
Epignosis eFront LMS v5.2.12 is vulnerable to insecure deserialization via a crafted web parameter, allowing authenticated attackers to execute arbitrary PHP code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Epignosis eFront LMS v5.2.12 is vulnerable to insecure deserialization via a crafted web parameter, allowing authenticated attackers to execute arbitrary PHP code.
Vulnerability
A code execution vulnerability exists in Epignosis eFront LMS version 5.2.12 due to unsafe deserialization of untrusted data (CWE-502) [1]. The flaw resides in the set() method of the application's core model, which calls unserialize() on user-supplied input without adequate validation [1]. The vulnerable code path is reachable through the /audiences/add/1 endpoint, where the name parameter is passed unsanitized to unserialize() [1].
Exploitation
An attacker must be authenticated to the eFront LMS application [1]. The attacker sends a specially crafted POST request to /audiences/add/1 with a malicious serialized payload in the name parameter [1]. The Content-Type is application/x-www-form-urlencoded and a valid CSRF token (qfS_csrf) is required [1]. The application then deserializes the payload, which can be crafted to instantiate arbitrary PHP objects and trigger gadget chains leading to code execution [1].
Impact
Successful exploitation allows an attacker to execute arbitrary PHP code on the server with the privileges of the web server process [1]. This leads to complete compromise of confidentiality, integrity, and availability (CVSSv3 8.8) [1]. The attacker can read, write, or delete sensitive data, install backdoors, or pivot to internal systems [1].
Mitigation
As of the publication date (September 5, 2019), no vendor-supplied fix or patched version has been released [1]. Affected users should restrict network access to the eFront LMS instance, limit the attack surface by disabling unnecessary modules, and monitor for signs of exploitation [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Epignosis eFront/LMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unsafe deserialization of untrusted user input via the `set()` method in the eFront LMS model layer, where the `generic` type check passes serialized data to `unserialize()` without validation."
Attack vector
An authenticated attacker sends a crafted POST request to any of the vulnerable form endpoints (e.g., `/audiences/add/1`, `/Banners/add/1`, `/Glossary/add/1`) with a malicious serialized PHP payload in the `name`, `term`, `title`, `discount_type`, or `filter_name` parameter [ref_id=1]. The application's `set()` method passes the value through `@unserialize($value)` when the type is `generic`, and if the unserialize succeeds the raw object is stored and later evaluated, leading to PHP code execution [ref_id=1]. The attack requires only low-privilege authentication and no special network position beyond HTTP access to the LMS [CWE-502].
Affected code
The vulnerable code is in the `set()` method of the eFront LMS model layer, specifically lines 205–226 where `@unserialize($value)` is called on user-supplied data when the type parameter is `generic` [ref_id=1]. The advisory identifies 14 form endpoints that pass attacker-controlled parameters (e.g., `name`, `term`, `title`, `discount_type`, `filter_name`) through this code path, including `/audiences/add/1`, `/Banners/add/1`, `/Glossary/add/1`, and `/certificates/add/1` [ref_id=1].
What the fix does
The advisory states the vendor patched and released a new version on 2019-08-30, but no patch diff is included in the bundle [ref_id=1]. The recommended remediation is to avoid passing untrusted user input to `unserialize()` and to implement strict type validation or use a safe serialization format such as JSON. Without the patch content, the specific code changes cannot be described, but the root cause — the unconditional `@unserialize($value)` call in the `set()` method — must be removed or guarded by an allowlist of safe classes.
Preconditions
- authAttacker must have a valid authenticated session with the eFront LMS application
- networkAttacker must be able to send HTTP POST requests to the vulnerable endpoints
- inputAttacker must supply a malicious PHP serialized payload in the vulnerable parameter
Reproduction
Send a POST request to a vulnerable endpoint such as `/audiences/add/1` with a `Content-Type: application/x-www-form-urlencoded` body containing a malicious serialized PHP object in the `name` parameter. The advisory provides the following PoC request structure [ref_id=1]:
``` POST /audiences/add/1 HTTP/1.1 Host: [IP] Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSIDfb411=aaaaaaaa;
ratio=undefined&_qf__audience_properties_form=&qfS_csrf=abc&name=[UNSERIALIZED DATA]&description=jh&active=1&branches_ID=&submit=Add ```
Replace `[UNSERIALIZED DATA]` with a PHP serialized payload that triggers code execution upon deserialization.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2019-0858mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.