CVE-2025-5498 (GCVE-0-2025-5498)
Vulnerability from cvelistv5 – Published: 2025-06-03 13:31 – Updated: 2025-06-03 13:45
VLAI?
Title
slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization
Summary
A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.
Severity ?
5.5 (Medium)
5.5 (Medium)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| slackero | phpwcms |
Affected:
1.9.0
Affected: 1.9.1 Affected: 1.9.2 Affected: 1.9.3 Affected: 1.9.4 Affected: 1.9.5 Affected: 1.9.6 Affected: 1.9.7 Affected: 1.9.8 Affected: 1.9.9 Affected: 1.9.10 Affected: 1.9.11 Affected: 1.9.12 Affected: 1.9.13 Affected: 1.9.14 Affected: 1.9.15 Affected: 1.9.16 Affected: 1.9.17 Affected: 1.9.18 Affected: 1.9.19 Affected: 1.9.20 Affected: 1.9.21 Affected: 1.9.22 Affected: 1.9.23 Affected: 1.9.24 Affected: 1.9.25 Affected: 1.9.26 Affected: 1.9.27 Affected: 1.9.28 Affected: 1.9.29 Affected: 1.9.30 Affected: 1.9.31 Affected: 1.9.32 Affected: 1.9.33 Affected: 1.9.34 Affected: 1.9.35 Affected: 1.9.36 Affected: 1.9.37 Affected: 1.9.38 Affected: 1.9.39 Affected: 1.9.40 Affected: 1.9.41 Affected: 1.9.42 Affected: 1.9.43 Affected: 1.9.44 Affected: 1.9.45 Affected: 1.10.0 Affected: 1.10.1 Affected: 1.10.2 Affected: 1.10.3 Affected: 1.10.4 Affected: 1.10.5 Affected: 1.10.6 Affected: 1.10.7 Affected: 1.10.8 |
Credits
Dem0 (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5498",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T13:45:19.219062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T13:45:36.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Custom Source Tab"
],
"product": "phpwcms",
"vendor": "slackero",
"versions": [
{
"status": "affected",
"version": "1.9.0"
},
{
"status": "affected",
"version": "1.9.1"
},
{
"status": "affected",
"version": "1.9.2"
},
{
"status": "affected",
"version": "1.9.3"
},
{
"status": "affected",
"version": "1.9.4"
},
{
"status": "affected",
"version": "1.9.5"
},
{
"status": "affected",
"version": "1.9.6"
},
{
"status": "affected",
"version": "1.9.7"
},
{
"status": "affected",
"version": "1.9.8"
},
{
"status": "affected",
"version": "1.9.9"
},
{
"status": "affected",
"version": "1.9.10"
},
{
"status": "affected",
"version": "1.9.11"
},
{
"status": "affected",
"version": "1.9.12"
},
{
"status": "affected",
"version": "1.9.13"
},
{
"status": "affected",
"version": "1.9.14"
},
{
"status": "affected",
"version": "1.9.15"
},
{
"status": "affected",
"version": "1.9.16"
},
{
"status": "affected",
"version": "1.9.17"
},
{
"status": "affected",
"version": "1.9.18"
},
{
"status": "affected",
"version": "1.9.19"
},
{
"status": "affected",
"version": "1.9.20"
},
{
"status": "affected",
"version": "1.9.21"
},
{
"status": "affected",
"version": "1.9.22"
},
{
"status": "affected",
"version": "1.9.23"
},
{
"status": "affected",
"version": "1.9.24"
},
{
"status": "affected",
"version": "1.9.25"
},
{
"status": "affected",
"version": "1.9.26"
},
{
"status": "affected",
"version": "1.9.27"
},
{
"status": "affected",
"version": "1.9.28"
},
{
"status": "affected",
"version": "1.9.29"
},
{
"status": "affected",
"version": "1.9.30"
},
{
"status": "affected",
"version": "1.9.31"
},
{
"status": "affected",
"version": "1.9.32"
},
{
"status": "affected",
"version": "1.9.33"
},
{
"status": "affected",
"version": "1.9.34"
},
{
"status": "affected",
"version": "1.9.35"
},
{
"status": "affected",
"version": "1.9.36"
},
{
"status": "affected",
"version": "1.9.37"
},
{
"status": "affected",
"version": "1.9.38"
},
{
"status": "affected",
"version": "1.9.39"
},
{
"status": "affected",
"version": "1.9.40"
},
{
"status": "affected",
"version": "1.9.41"
},
{
"status": "affected",
"version": "1.9.42"
},
{
"status": "affected",
"version": "1.9.43"
},
{
"status": "affected",
"version": "1.9.44"
},
{
"status": "affected",
"version": "1.9.45"
},
{
"status": "affected",
"version": "1.10.0"
},
{
"status": "affected",
"version": "1.10.1"
},
{
"status": "affected",
"version": "1.10.2"
},
{
"status": "affected",
"version": "1.10.3"
},
{
"status": "affected",
"version": "1.10.4"
},
{
"status": "affected",
"version": "1.10.5"
},
{
"status": "affected",
"version": "1.10.6"
},
{
"status": "affected",
"version": "1.10.7"
},
{
"status": "affected",
"version": "1.10.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem0 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in slackero phpwcms bis 1.9.45/1.10.8 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist die Funktion file_get_contents/is_file der Datei include/inc_lib/content/cnt21.readform.inc.php der Komponente Custom Source Tab. Durch das Beeinflussen des Arguments cpage_custom mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.9.46 and 1.10.9 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T13:31:05.263Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-310913 | slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.310913"
},
{
"name": "VDB-310913 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.310913"
},
{
"name": "Submit #578054 | phpwcms 1.10.8 phar/php filter vulnerability",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.578054"
},
{
"name": "Submit #578055 | phpwcms 1.10.8 phar/php filter vulnerability (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.578055"
},
{
"tags": [
"related"
],
"url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23is_file.md"
},
{
"tags": [
"patch"
],
"url": "https://github.com/slackero/phpwcms/releases/tag/v1.10.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-03T07:19:44.000Z",
"value": "VulDB entry last update"
}
],
"title": "slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5498",
"datePublished": "2025-06-03T13:31:05.263Z",
"dateReserved": "2025-06-03T05:14:35.178Z",
"dateUpdated": "2025-06-03T13:45:36.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-5498\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-06-03T14:15:51.313\",\"lastModified\":\"2025-06-04T14:54:33.783\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad en slackero phpwcms hasta la versi\u00f3n 1.9.45/1.10.8. Se ha clasificado como cr\u00edtica. Este problema afecta a la funci\u00f3n file_get_contents/is_file del archivo include/inc_lib/content/cnt21.readform.inc.php del componente Custom Source Tab. La manipulaci\u00f3n del argumento cpage_custom provoca la deserializaci\u00f3n. El ataque puede ejecutarse en remoto. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Actualizar a las versiones 1.9.46 y 1.10.9 puede solucionar este problema. Se recomienda actualizar el componente afectado.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.1,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23is_file.md\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/slackero/phpwcms/releases/tag/v1.10.9\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?ctiid.310913\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?id.310913\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.578054\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.578055\",\"source\":\"cna@vuldb.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-5498\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-03T13:45:19.219062Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-03T13:45:25.818Z\"}}], \"cna\": {\"title\": \"slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Dem0 (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 6.5, \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\"}}], \"affected\": [{\"vendor\": \"slackero\", \"modules\": [\"Custom Source Tab\"], \"product\": \"phpwcms\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.9.0\"}, {\"status\": \"affected\", \"version\": \"1.9.1\"}, {\"status\": \"affected\", \"version\": \"1.9.2\"}, {\"status\": \"affected\", \"version\": \"1.9.3\"}, {\"status\": \"affected\", \"version\": \"1.9.4\"}, {\"status\": \"affected\", \"version\": \"1.9.5\"}, {\"status\": \"affected\", \"version\": \"1.9.6\"}, {\"status\": \"affected\", \"version\": \"1.9.7\"}, {\"status\": \"affected\", \"version\": \"1.9.8\"}, {\"status\": \"affected\", \"version\": \"1.9.9\"}, {\"status\": \"affected\", \"version\": \"1.9.10\"}, {\"status\": \"affected\", \"version\": \"1.9.11\"}, {\"status\": \"affected\", \"version\": \"1.9.12\"}, {\"status\": \"affected\", \"version\": \"1.9.13\"}, {\"status\": \"affected\", \"version\": \"1.9.14\"}, {\"status\": \"affected\", \"version\": \"1.9.15\"}, {\"status\": \"affected\", \"version\": \"1.9.16\"}, {\"status\": \"affected\", \"version\": \"1.9.17\"}, {\"status\": \"affected\", \"version\": \"1.9.18\"}, {\"status\": \"affected\", \"version\": \"1.9.19\"}, {\"status\": \"affected\", \"version\": \"1.9.20\"}, {\"status\": \"affected\", \"version\": \"1.9.21\"}, {\"status\": \"affected\", \"version\": \"1.9.22\"}, {\"status\": \"affected\", \"version\": \"1.9.23\"}, {\"status\": \"affected\", \"version\": \"1.9.24\"}, {\"status\": \"affected\", \"version\": \"1.9.25\"}, {\"status\": \"affected\", \"version\": \"1.9.26\"}, {\"status\": \"affected\", \"version\": \"1.9.27\"}, {\"status\": \"affected\", \"version\": \"1.9.28\"}, {\"status\": \"affected\", \"version\": \"1.9.29\"}, {\"status\": \"affected\", \"version\": \"1.9.30\"}, {\"status\": \"affected\", \"version\": \"1.9.31\"}, {\"status\": \"affected\", \"version\": \"1.9.32\"}, {\"status\": \"affected\", \"version\": \"1.9.33\"}, {\"status\": \"affected\", \"version\": \"1.9.34\"}, {\"status\": \"affected\", \"version\": \"1.9.35\"}, {\"status\": \"affected\", \"version\": \"1.9.36\"}, {\"status\": \"affected\", \"version\": \"1.9.37\"}, {\"status\": \"affected\", \"version\": \"1.9.38\"}, {\"status\": \"affected\", \"version\": \"1.9.39\"}, {\"status\": \"affected\", \"version\": \"1.9.40\"}, {\"status\": \"affected\", \"version\": \"1.9.41\"}, {\"status\": \"affected\", \"version\": \"1.9.42\"}, {\"status\": \"affected\", \"version\": \"1.9.43\"}, {\"status\": \"affected\", \"version\": \"1.9.44\"}, {\"status\": \"affected\", \"version\": \"1.9.45\"}, {\"status\": \"affected\", \"version\": \"1.10.0\"}, {\"status\": \"affected\", \"version\": \"1.10.1\"}, {\"status\": \"affected\", \"version\": \"1.10.2\"}, {\"status\": \"affected\", \"version\": \"1.10.3\"}, {\"status\": \"affected\", \"version\": \"1.10.4\"}, {\"status\": \"affected\", \"version\": \"1.10.5\"}, {\"status\": \"affected\", \"version\": \"1.10.6\"}, {\"status\": \"affected\", \"version\": \"1.10.7\"}, {\"status\": \"affected\", \"version\": \"1.10.8\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-06-03T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-06-03T02:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-06-03T07:19:44.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.310913\", \"name\": \"VDB-310913 | slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.310913\", \"name\": \"VDB-310913 | CTI Indicators (IOB, IOC, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.578054\", \"name\": \"Submit #578054 | phpwcms 1.10.8 phar/php filter vulnerability\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://vuldb.com/?submit.578055\", \"name\": \"Submit #578055 | phpwcms 1.10.8 phar/php filter vulnerability (Duplicate)\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23is_file.md\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/slackero/phpwcms/releases/tag/v1.10.9\", \"tags\": [\"patch\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.\"}, {\"lang\": \"de\", \"value\": \"Eine Schwachstelle wurde in slackero phpwcms bis 1.9.45/1.10.8 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist die Funktion file_get_contents/is_file der Datei include/inc_lib/content/cnt21.readform.inc.php der Komponente Custom Source Tab. Durch das Beeinflussen des Arguments cpage_custom mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \\u00fcber das Netzwerk erfolgen. Der Exploit steht zur \\u00f6ffentlichen Verf\\u00fcgung. Ein Aktualisieren auf die Version 1.9.46 and 1.10.9 vermag dieses Problem zu l\\u00f6sen. Als bestm\\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"Deserialization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-06-03T13:31:05.263Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-5498\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-03T13:45:36.390Z\", \"dateReserved\": \"2025-06-03T05:14:35.178Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-06-03T13:31:05.263Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…