Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Monero Forum Remote Code Execution via Arbitrary File Read and Cookie Forgery
Vulnerability Description
A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution.
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
Monero Project Forum 安全漏洞
Vulnerability Description
Monero Project Forum是Monero Project开源的一个在线论坛。 Monero Project Forum存在安全漏洞,该漏洞源于不安全处理用户输入导致PHP对象注入。
CVSS Information
N/A
Vulnerability Type
N/A