### Critical Vulnerability Information #### Vulnerability Overview - **Vulnerability Type**: Remote Code Execution (RCE) due to deserialization of untrusted data - **CVE ID**: CVE-2020-5436 - **CVSS v3.1 Score**: 8.6/10 - **Severity**: High #### Affected Versions - **Affected Version**: 1.8.182 - **Fixed Version**: 1.8.186 #### Vulnerability Description - **Product**: FreeScout - **Version**: 1.8.182 - **CVE-ID**: CWE-502: Deserialization of Untrusted Data - **CAPEC ID**: CAPEC-50: Object Injection - **CVSS v3.1 Vector**: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H #### Vulnerable Parameter - **Vulnerable Parameter**: POST attachments_all[] #### Exploitation Requirements - **Authorized User**: Yes - **APP.KEY Knowledge**: Yes #### Recommended Mitigations - Configure the web server to prevent receiving untrusted deserialized data. - Use alternative data formats (such as JSON or XML) instead of serialized objects. - Implement data integrity checks (e.g., using HMAC hash functions). - Create separate objects to store deserialized data, ensuring data passes secure input validation. - Use transient fields to indicate data that should not be serialized. #### Researchers - Danil Satyshev, Roman Chernykh, Artem Danilov (Positive Technologies) #### Vulnerable Code Example ```php public function decodeAttachmentsIds($attachments_list) { foreach ($attachments_list as $k => $attachment_id) { $attachment_id_decrypted = Helper::decrypt($attachment_id); if ($attachment_id_decrypted == $attachment_id) { unset($attachments_list[$k]); } else { $attachments_list[$k] = $attachment_id_decrypted; } } return $attachments_list; } ``` #### Exploitation Scenario Example ```http POST /conversation/ajax HTTP/1.1 Host: freescout.web-hacks.ru Cookie: ... Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://freescout.web-hacks.ru Sec-Fetch-Site: same-origin Connection: keep-alive ...