Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
BeWelcome/Rox PHP Object Injection RCE
Vulnerability Description
Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
BeWelcome 安全漏洞
Vulnerability Description
BeWelcome是BeWelcome开源的一个旅行分享站点。 BeWelcome 存在安全漏洞,该漏洞源于对POST参数formkit_memory_recovery和memory cookie bwRemember的反序列化处理不当,可能导致PHP对象注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A