Vulnerability Description
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nukeviet | Nukeviet | < 4.3.04 |
Related Weaknesses (CWE)
References
- https://github.com/nukeviet/nukeviet/blob/4.3.04/CHANGELOG.txtRelease NotesThird Party Advisory
- https://github.com/nukeviet/nukeviet/blob/nukeviet4.3/CHANGELOG.txtRelease NotesThird Party Advisory
- https://github.com/nukeviet/nukeviet/compare/4.3.03...4.3.04Release NotesThird Party Advisory
- https://github.com/nukeviet/nukeviet/pull/2740/commits/05dfb9b4531f12944fe39556fPatchThird Party Advisory
- https://github.com/nukeviet/nukeviet/blob/4.3.04/CHANGELOG.txtRelease NotesThird Party Advisory
- https://github.com/nukeviet/nukeviet/blob/nukeviet4.3/CHANGELOG.txtRelease NotesThird Party Advisory
- https://github.com/nukeviet/nukeviet/compare/4.3.03...4.3.04Release NotesThird Party Advisory
- https://github.com/nukeviet/nukeviet/pull/2740/commits/05dfb9b4531f12944fe39556fPatchThird Party Advisory
FAQ
What is CVE-2019-7725?
CVE-2019-7725 is a vulnerability with a CVSS score of 9.8 (CRITICAL). includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
How severe is CVE-2019-7725?
CVE-2019-7725 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-7725?
Check the references section above for vendor advisories and patch information. Affected products include: Nukeviet Nukeviet.