CVE-2024-24725

Name of the Vulnerable Software and Affected Versions Gibbon versions 26.0.00 and earlier

Description The issue allows remote authenticated users to conduct PHP deserialization attacks via the columnOrder parameter in a POST request to the "/modules/System%20Admin/import run.php&type=externalAssessment&step=4" API endpoint. This can lead to deserialization attacks. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited.

Recommendations For Gibbon versions 26.0.00 and earlier, restrict access to the System Admin module and consider patching as soon as possible to mitigate the risk of exploitation. As a temporary workaround, consider restricting the use of the columnOrder parameter in the affected API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.