Key Information Vulnerability Type Authenticated Admin Remote Code Execution via Unsafe Deserialization of Events Affected Versions Affected versions: <= 1.2.46 Patched version: 1.2.47 Vulnerability Description Summary: An unsafe deserialization vulnerability in the allows admins to inject arbitrary PHP objects by modifying the field in the table. A malicious actor can exploit this field to use a PHP gadget to write a web shell into the folder, which then gives remote code execution on the host system. Vulnerability Details Problematic code: The problematic code is in . Exploitation: The app uses to deserialize data into a PHP object. If an attacker modifies the field with a specific value, it triggers the deserialization of a PHP gadget that writes a web shell. Exploitation Steps (PoC) 1. Log in as default admin user. 2. Create a project and a task. 3. Download and unzip the database. 4. Find a target row in the table and update the field to . 5. Download the following PHP gadget file and put it in your working directory. 6. Use the Python script to update the column for the row you're targeting. 7. Reload the site and visit the task activity stream. Impact Impact: - Arbitrary remote code execution on the host as the PHP process user. - Full filesystem access, including writing to the plugins directory. - Persistence (reverse shell or web shell survives restart). - Data exfiltration, data tampering, or denial of service. Security Severity Severity: Critical CVE ID CVE-2020-5070