A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable “strProfileData” and allows an unauthenticated attacker to execute code via a crafted POST request.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24914
Reference (s):
- FULLDISC:20210312 [AIT-SA-20210215-01] CVE-2020-24914: QCubed PHP Object Injection
- URL: http://seclists.org/fulldisclosure/2021/Mar/28
- http://packetstormsecurity.com/files/161758/QCubed-3.1.1-PHP-Object-Injection.html
- http://qcubed.com
- https://tech.feedyourhead.at/content/QCubed-PHP-Object-Injection-CVE-2020-24914