关键信息 漏洞类型 Authenticated Admin Remote Code Execution via Unsafe Deserialization of Events 影响版本 Affected versions: <= 1.2.46 Patched version: 1.2.47 漏洞描述 Summary: An unsafe deserialization vulnerability in the allows admins to inject arbitrary php objects by modifying the field in the table. A malicious actor can exploit this field to use a php gadget to write a web shell into the folder, which then gives remote code execution on the host system. 漏洞细节 Problematic code: The problematic code is in . Exploitation: The app uses to deserialize data into a PHP object. If an attacker modifies the field with a specific value, it triggers the deserialization of a PHP gadget that writes a web shell. 利用步骤 (PoC) 1. Log in as default admin user. 2. Create a project and a task. 3. Download and unzip the database. 4. Find a target row in the table and update the field to . 5. Download the following php gadget file and put it in your working directory. 6. Use the python script to update the column for the row you're targeting. 7. Reload the site and visit the task activity stream. 影响 Impact: - Arbitrary remote code execution on the host as the PHP process user. - Full filesystem access, including writing to the plugins directory. - Persistence (reverse shell or web shell survives restart). - Data exfiltration, data tampering, or denial of service. 安全等级 Severity: Critical CVE ID CVE-2020-5070