We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-7067

kirilkirkov Ecommerce-Laravel-Bootstrap Cart.php getCartProductsIds deserialization



AssignerVulDB
Reserved2024-07-24
Published2024-07-24
Updated2024-08-01

Description

EN DE

A vulnerability was found in kirilkirkov Ecommerce-Laravel-Bootstrap up to 1f1097a3448ce8ec53e034ea0f70b8e2a0e64a87. It has been rated as critical. Affected by this issue is the function getCartProductsIds of the file app/Cart.php. The manipulation of the argument laraCart leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The name of the patch is a02111a674ab49f65018b31da3011b1e396f59b1. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-272348.

Eine kritische Schwachstelle wurde in kirilkirkov Ecommerce-Laravel-Bootstrap bis 1f1097a3448ce8ec53e034ea0f70b8e2a0e64a87 ausgemacht. Betroffen davon ist die Funktion getCartProductsIds der Datei app/Cart.php. Durch Beeinflussen des Arguments laraCart mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. Dieses Produkt verzichtet auf eine Versionierung und verwendet stattdessen Rolling Releases. Deshalb sind keine Details zu betroffenen oder zu aktualisierende Versionen vorhanden. Der Patch wird als a02111a674ab49f65018b31da3011b1e396f59b1 bezeichnet. Als bestmögliche Massnahme wird Patching empfohlen.



MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.5CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P

Problem types

CWE-502 Deserialization

Product status

1f1097a3448ce8ec53e034ea0f70b8e2a0e64a87
affected

Timeline

2024-07-24:Advisory disclosed
2024-07-24:VulDB entry created
2024-07-24:VulDB entry last update

Credits

remhopster (VulDB User) 0x40069bc770

References

https://vuldb.com/?id.272348 (VDB-272348 | kirilkirkov Ecommerce-Laravel-Bootstrap Cart.php getCartProductsIds deserialization) vdb-entry technical-description

https://vuldb.com/?ctiid.272348 (VDB-272348 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

https://vuldb.com/?submit.378780 (Submit #378780 | Laravel Ecommerce-Laravel-Bootstrap Platform 7.30.6 PHP Object Injection) third-party-advisory

https://github.com/kirilkirkov/Ecommerce-Laravel-Bootstrap/issues/18 issue-tracking

https://github.com/kirilkirkov/Ecommerce-Laravel-Bootstrap/issues/18#issuecomment-2206863135 issue-tracking

https://github.com/kirilkirkov/Ecommerce-Laravel-Bootstrap/issues/18#issuecomment-2192470359 exploit issue-tracking

https://github.com/kirilkirkov/Ecommerce-Laravel-Bootstrap/commit/a02111a674ab49f65018b31da3011b1e396f59b1 patch

cve.org CVE-2024-7067

nvd.nist.gov CVE-2024-7067

Download JSON

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.

© Copyright 2024 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.