Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insecure Deserialisation via Plaintext HTTP leading to Remote Code Execution in Quick.CMS
Vulnerability Description
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel. When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel. This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
OpenSolution Quick.CMS 反序列化漏洞
Vulnerability Description
OpenSolution quick.cms是OpenSolution组织开源的一个内容管理系统。 OpenSolution Quick.CMS 6.8之前版本存在安全漏洞,该漏洞源于在HTTP上传输反序列化数据时未验证数据完整性和真实性,可能导致攻击者在传输过程中篡改序列化有效载荷并注入恶意对象。由于反序列化没有正确验证或类限制,特制有效载荷可能触发危险魔法方法并结合小工具链,导致远程代码执行。当管理员访问管理面板时,利用会自动触发。
CVSS Information
N/A
Vulnerability Type
N/A