N/A

The file mexcel.php in the Vfront 0.99.52 codebase contains a vulnerable call to unserialize(base64_decode($_POST['mexcel'])), where $_POST['mexcel'] is user-controlled input. This input is decoded from base64 and deserialized without validation or use of the allowed_classes option, allowing an attacker to inject arbitrary PHP objects. This can lead to malicious behavior, such as Remote Code Execution (RCE), SQL Injection, Path Traversal, or Denial of Service, depending on the availability of exploitable classes in the Vfront codebase or its dependencies.

N/A

N/A

Vfront 安全漏洞

Vfront是Marcello Verona个人开发者的一个数据库管理前端工具。 Vfront 0.99.52版本存在安全漏洞，该漏洞源于对用户控制的输入进行反序列化操作时未进行验证或使用allowed_classes选项，可能导致远程代码执行、SQL注入、路径遍历或拒绝服务攻击。

N/A

N/A