Miggo Logo
Miggo Vulnerability Database
CVE-2024-36528

CVE-2024-36528: nukeviet Deserialization of Untrusted Data vulnerability

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-36528
GHSA ID
GHSA-mhj4-vrcv-x4xc
EPSS Score
0.58267%
CWE
CWE-502
Published
6/10/2024
Updated
8/21/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nukeviet/nukevietcomposer<= 4.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly mentions code execution via /admin/extensions/download.php and upload.php endpoints. While exact code isn't available, PHP deserialization vulnerabilities typically involve unsafe use of unserialize() on user-controlled input. The CWE-502 classification and RCE impact strongly suggest these files contain unserialize() calls operating on untrusted data without proper validation. The admin context aligns with typical extension management functionality that would handle serialized configuration data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

nuk*vi*t v.*.* *n* ***or* *n* nuk*vi*t-**ov v.*.*.** *n* ***or* **v* * **s*ri*liz*tion vuln*r**ility w*i** r*sults in *o** *x**ution vi* /**min/*xt*nsions/*ownlo**.p*p *n* /**min/*xt*nsions/uplo**.p*p.

Reasoning

T** vuln*r**ility *xpli*itly m*ntions *o** *x**ution vi* /**min/*xt*nsions/*ownlo**.p*p *n* uplo**.p*p *n*points. W*il* *x**t *o** isn't *v*il**l*, P*P **s*ri*liz*tion vuln*r**iliti*s typi**lly involv* uns*** us* o* uns*ri*liz*() on us*r-*ontroll** i