CVE-2025-15438
5.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Summary
A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | PluXml | 5.8.0 | affected |
| n/a | PluXml | 5.8.1 | affected |
| n/a | PluXml | 5.8.2 | affected |
| n/a | PluXml | 5.8.3 | affected |
| n/a | PluXml | 5.8.4 | affected |
| n/a | PluXml | 5.8.5 | affected |
| n/a | PluXml | 5.8.6 | affected |
| n/a | PluXml | 5.8.7 | affected |
| n/a | PluXml | 5.8.8 | affected |
| n/a | PluXml | 5.8.9 | affected |
| n/a | PluXml | 5.8.10 | affected |
| n/a | PluXml | 5.8.11 | affected |
| n/a | PluXml | 5.8.12 | affected |
| n/a | PluXml | 5.8.13 | affected |
| n/a | PluXml | 5.8.14 | affected |
| n/a | PluXml | 5.8.15 | affected |
| n/a | PluXml | 5.8.16 | affected |
| n/a | PluXml | 5.8.17 | affected |
| n/a | PluXml | 5.8.18 | affected |
| n/a | PluXml | 5.8.19 | affected |
| n/a | PluXml | 5.8.20 | affected |
| n/a | PluXml | 5.8.21 | affected |
| n/a | PluXml | 5.8.22 | affected |
Weaknesses
- CWE-502: Deserialization
- CWE-20: Improper Input Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://vuldb.com/?id.339383
- https://vuldb.com/?ctiid.339383
- https://vuldb.com/?submit.713989
- https://note-hxlab.wetolink.com/share/9SJUnaDcJuqz
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.