Home

Description

A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. The exploit has been published and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8".

PUBLISHED Reserved 2025-12-30 | Published 2025-12-31 | Updated 2025-12-31 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C

Problem types

Deserialization

Improper Input Validation

Timeline

2025-12-30:Advisory disclosed
2025-12-30:VulDB entry created
2025-12-30:VulDB entry last update

Credits

pemic (VulDB User) reporter

References

vuldb.com/?id.339083 (VDB-339083 | EyouCMS arcpagelist Ajax.php unserialize deserialization) vdb-entry technical-description

vuldb.com/?ctiid.339083 (VDB-339083 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.718481 (Submit #718481 | EyouCMS 1.7.7 Deserialization) third-party-advisory

note-hxlab.wetolink.com/share/2wLgcbKe9Toh related

note-hxlab.wetolink.com/share/2wLgcbKe9Toh exploit

cve.org (CVE-2025-15375)

nvd.nist.gov (CVE-2025-15375)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.