QwikSec

Security Database

CVE

CWE

Training

CVE-2017-7411

Published: Oct 30, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks (including but not limited to Remote Code Execution).

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://tuleap.net/plugins/tracker/?aid=10118

x_refsource_CONFIRM

http://packetstormsecurity.com/files/144716/Tuleap-9.6-Second-Order-PHP-Object-Injection.html

x_refsource_MISC

exploit

x_refsource_EXPLOIT-DB

[oss-security] 20171023 [KIS-2017-02] Tuleap <= 9.6 Second-Order PHP Object Injection Vulnerability

mailing-list

x_refsource_MLIST

http://karmainsecurity.com/KIS-2017-02

x_refsource_MISC

20171023 [KIS-2017-02] Tuleap <= 9.6 Second-Order PHP Object Injection Vulnerability

mailing-list

x_refsource_FULLDISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.