High severityNVD Advisory· Published Jun 10, 2020· Updated Aug 4, 2024
Phar unserialization vulnerability in phpMussel
CVE-2020-4043
Description
phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be regarded as very high. Newer phpMussel versions don't use PHP's phar wrapper, and are therefore unaffected. This has been fixed in version 1.6.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmussel/phpmusselPackagist | >= 1.0.0, < 1.6.0 | 1.6.0 |
maikuolan/phpmusselPackagist | >= 1.0.0, < 1.6.0 | 1.6.0 |
Affected products
3- ghsa-coords2 versions
>= 1.0.0, < 1.6.0+ 1 more
- (no CPE)range: >= 1.0.0, < 1.6.0
- (no CPE)range: >= 1.0.0, < 1.6.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-qr95-4mq5-r3fhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-4043ghsaADVISORY
- github.com/phpMussel/phpMussel/commit/97f25973433921c1f953430f32d3081adc4851a4ghsax_refsource_MISCWEB
- github.com/phpMussel/phpMussel/issues/167ghsax_refsource_MISCWEB
- github.com/phpMussel/phpMussel/pull/173ghsax_refsource_MISCWEB
- github.com/phpMussel/phpMussel/security/advisories/GHSA-qr95-4mq5-r3fhghsax_refsource_CONFIRMWEB
- github.com/phpMussel/phpMussel/security/policyghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.