module
Gibbon School Platform Authenticated PHP Deserialization Vulnerability
| Disclosed | Created |
|---|---|
| Mar 18, 2024 | Apr 5, 2024 |
Disclosed
Mar 18, 2024
Created
Apr 5, 2024
Description
A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower
allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a
POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`.
As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
potentially resulting in complete system compromise, data exfiltration, or unauthorized access
to sensitive information.
allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a
POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`.
As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
potentially resulting in complete system compromise, data exfiltration, or unauthorized access
to sensitive information.
Authors
h00die-gr3y h00die.gr3y@gmail.com
Ali Maharramli
Fikrat Guliev
Islam Rzayev
Ali Maharramli
Fikrat Guliev
Islam Rzayev
Platform
Linux,PHP,Unix,Windows
Architectures
php, cmd, x64, x86
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.