CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-9369-69wj-7m2f: YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize

criticalCVE-2026-52777
Details Sink tools/bazar/services/CSVManager.php line 372-399: public function importEntry(array $importedEntries, string $formId): ?array { if (!$this->importdone) { // ... foreach ($importedEntries as $entry) { $entry = unserialize(base64_decode($entry)); // <-- SINK $entry = array_map('strval', $entry); // ... There is no ['allowed_classes' => false] argument; arbitrary classes are instantiated. The subsequent array_map('strval', $entry) additionally exercises __toString on each top-level array element, doubling the magic-method surface available to a gadget chain. Source tools/bazar/actions/BazarImportAction.php: // formatArguments() 'mode' => (isset($_POST['submit_file']) && !empty($_FILES['fileimport']['name'])) ? 'submitfile' : (isset($_POST['importfiche']) ? 'importentries' : 'default'), 'importentries' => $_POST['importfiche'] ?? null, // run() case 'importentries': // ... $importedEntries = $this->CSVManager->importEntry($this->arguments['importentries'], $vID['id']); break; $_POST['importfiche'] flows directly to the sink. The mode switches to 'importentries' whenever the request body contains the key, so an attacker need only POST importfiche[0]=<payload>. Reachability 1. The action is registered as bazarimport. The default BazaR page (setup/sql/default-content.sql -> BazaR page entry, ships with {{bazar showexportbuttons="1"}}) routes ?BazaR&vue=importer&id_typeannonce=<N> to BazarAction::run() -> case VOIR_IMPORTER -> callAction('bazarimport', ...) (tools/bazar/actions/BazarAction.php:257-258). So the sink is reachable on a default install with no extra page authoring. 2. BazarImportAction::run() calls $this->checkSecuredACL() with the default $adminOnly=true. Only wiki admins (or accounts the admin has added to the bazarimport action ACL) can execute it. 3. The importentries branch does NOT invoke CsrfTokenController::checkToken(...). Grepping tools/bazar/actions/BazarImportAction.php confirms the action class has no csrf or checkToken re

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-9369-69wj-7m2f

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-52777coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories