MixPHP Framework Unsafe Deserialization Vulnerability Allowing Remote Code Execution
Vulnerability
A vulnerability allowing remote code execution through unsafe deserialization has been identified in MixPHP Framework versions 2.x prior to 2.2.17. The issue arises in the sync-invoke client, where data received from the server response is deserialized without proper validation. This flaw enables exploitation if the client connects to a malicious server.
Impact
Exploitation of this vulnerability allows for remote code execution on the client side.
Reproduction
The vulnerability can be reproduced by sending a crafted response from the server to a client using MixPHP Framework version 2.x prior to 2.2.17. The server response should include serialized data that, when deserialized by the client, executes arbitrary code. This can be achieved by intercepting the communication between the client and server or by compromising the server to send the malicious payload.
Remediation
Users are advised to update to MixPHP Framework version 2.2.17 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.