PluXml Deserialization Vulnerability in Media Management Module

A deserialization vulnerability has been identified in PluXml versions through 5.8.22, specifically within the Media Management Module's admin interface. The issue arises in the 'core/admin/medias.php' file, where user-controlled file parameters are not properly validated. This flaw allows authenticated attackers to upload a malicious Phar archive disguised as an image, which can then be exploited to execute arbitrary PHP code on the server, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for authenticated attackers to execute arbitrary PHP code on the server, resulting in remote code execution.

Reproduction

To reproduce this vulnerability, upload a malicious Phar file renamed as a JPEG image through the media management interface. Then, use the file renaming feature to trigger the deserialization by specifying a 'phar://' protocol path that points to the uploaded file. This action will invoke the deserialization vulnerability, allowing the execution of arbitrary code on the server.

Remediation

Users are advised to update to PluXml version 5.8.23 or later, where this vulnerability has been addressed.