Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2024-24725

Published: 23/03/2024 Updated: 25/03/2024

Vulnerability Summary

Gibbon up to and including 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.

Vendor Advisories

Check Point Security Alerts: Gibbon LMS Insecure Deserialization (CVE-2024-24725)
Check Point Reference: CPAI-2024-0182 Date Published: 24 Apr 2024 Severity: High ...

Exploits

Exploit DB: Gibbon School Platform 26.0.00 Remote Code Execution
A remote code execution vulnerability in Gibbon online school platform version 26000 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint /modules/System%20Admin/import_runphp&type=externalAssessment&step=4 As it allows remote code execution, adversaries cou ...
Exploit DB: Gibbon LMS 26.0.00 PHP Deserialization / Code Execution
Gibbon LMS version 26000 suffers from a PHP deserialization vulnerability that allows for authenticated remote code execution ...
Exploit DB: Gibbon School Platform Authenticated PHP Deserialization Vulnerability
A Remote Code Execution vulnerability in Gibbon online school platform version 26000 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint `/modules/System%20Admin/import_runphp&type=externalAssessment&step=4` As it allows remote ...

Metasploit Modules

Gibbon School Platform Authenticated PHP Deserialization Vulnerability

A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`. As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.

msf > use exploit/multi/http/gibbon_auth_rce_cve_2024_24725
msf exploit(gibbon_auth_rce_cve_2024_24725) > show targets
    ...targets...
msf exploit(gibbon_auth_rce_cve_2024_24725) > set TARGET < target-id >
msf exploit(gibbon_auth_rce_cve_2024_24725) > show options
    ...show and set options...
msf exploit(gibbon_auth_rce_cve_2024_24725) > exploit

References

https://gibbonedu.org/download/https://www.exploit-db.com/exploits/51903https://nvd.nist.govhttps://packetstormsecurity.com/files/177944/Gibbon-School-Platform-26.0.00-Remote-Code-Execution.htmlhttps://www.rapid7.com/db/modules/exploit/multi/http/gibbon_auth_rce_cve_2024_24725/https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2024-0182.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49223CVE-2024-0044information disclosureCVE-2024-35753HTML injectionCVE-2024-21306CVE-2024-35733SQL injectionCVE-2024-35732
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook