Qcubed is vulnerable to untrusted object deserialization. An attacker is able to inject untrusted PHP object of the POST-variable “strProfileData” and execute code via a malicious POST request.
CPE | Name | Operator | Version |
---|---|---|---|
qcubed/qcubed | le | v3.1.1 |
qcubed.com
seclists.org/fulldisclosure/2021/Mar/28
github.com/qcubed/qcubed/commit/b38f2a4ede98eb404392fc33824da87808be277d
github.com/qcubed/qcubed/pull/1320
tech.feedyourhead.at/content/QCubed-PHP-Object-Injection-CVE-2020-24914
www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-01