CVE-2019-7725
CRITICAL WAF: Medium
CVSS 9.8
Published: 2020-12-31
CWE-502
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| nukeviet | nukeviet | up to 4.3.04 |
References
- github.com (Release Notes, Third Party Advisory)
- github.com (Release Notes, Third Party Advisory)
- github.com (Release Notes, Third Party Advisory)
- github.com (Patch, Third Party Advisory)