JoomSport < 5.1.8 – Unauthenticated PHP Object Injection | CVE 2021-24384

Description

The joomsport_md_load AJAX action of the plugin, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE

Proof of Concept

POST /wp-admin/admin-ajax.php
[...]

action=joomsport_md_load&mdId=1&shattr=Tzo0OiJURVNUIjowOnt9

Affects Plugins

joomsport-sports-league-results-management

Fixed in 5.1.8

References

CVE

CVE-2021-24384

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

CVSS

6.5 (medium)

Miscellaneous

Original Researcher

Bugbang

Submitter

Bugbang

Submitter twitter

xBugBang

Verified

Yes

WPVDB ID

fb6c407c-713c-4e83-92ce-4e5f791be696

Timeline

Publicly Published

2021-06-08 (about 2 years ago)

Added

2021-06-08 (about 2 years ago)

Last Updated

2022-01-17 (about 2 years ago)

Other

Published

Title

Published

2024-01-05

Title

Taggbox < 3.2 - Unauthenticated PHP Object Injection

Published

2024-02-09

Title

Brooklyn <= 4.9.7.6 - PHP Object Injection

Published

2020-11-10

Title

Ultimate Reviews < 2.1.33 - Unauthenticated PHP Object Injection

Published

2024-04-10

Title

WordPress Geo Controller < 8.6.5 - PHP Object Injection

Published

2022-12-09

Title

Custom Field Template < 2.5.8 - Admin+ PHP Object Injection