PT-2022-19565 · Phpok · Phpok

Wa1Ki0G

Published

2022-05-12

Updated

2022-05-23

CVE-2022-29363

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Phpok version 6.1

Description The issue is related to a deserialization vulnerability via the update f() function in login control.php. This allows attackers to write arbitrary files, potentially leading to getting shell access.

Recommendations For Phpok version 6.1, consider disabling the update f() function in login control.php as a temporary workaround until a patch is available. Restrict access to the login control.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2022-29363

Affected Products

Phpok

PT-2022-19565 · Phpok · Phpok

CVE-2022-29363

Weakness Enumeration

Related Identifiers

Affected Products

References · 4