CVE-2025-61505

Medium CVSS: 6.5

e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.

Vendor

E107

Product

E107

CWE

CWE-502

Yayın Tarihi

2025-10-10 19:15:38

Güncelleme

2026-01-12 16:36:43

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-502 E107 MEDIUM E107 2025

Referanslar

https://github.com/e107inc/e107/blob/master/install.php https://xancatos.org/cve202561505

Benzer Kayıtlar

High

CVE-2022-50939

e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to overrid…

High

CVE-2022-50916

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server…

Critical

CVE-2022-50905

e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulner…

Medium

CVE-2022-50906

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload ma…

High

CVE-2022-50907

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upl…

Medium

CVE-2025-11941

A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php…