Talos Vulnerability Report


Epignosis eFront LMS PHP deserialization code execution vulnerability

September 3, 2019
CVE Number



A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

Tested Versions

Epignosis eFront LMS v5.2.12

Product URLs


CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


CWE-502 - Deserialization of Untrusted Data


Cisco Talos discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.

The following proof of concept demonstrates the issue:

POST /audiences/add/1 HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[IP]/audiences/add/1
Content-Type: application/x-www-form-urlencoded
Content-Length: 168
DNT: 1
Connection: close
Cookie: PHPSESSIDfb411=aaaaaaaa;
Upgrade-Insecure-Requests: 1

ratio=undefined&_qf__audience_properties_form=&qfS_csrf=abc&name=[UNSERIALIZED DATA]&description=jh&active=1&branches_ID=&submit=Add

The following code is responsible for all observed unsafe unserializations:

205     public function set($property, $value, $type = null) {
206         // $this->$property translates to the variable name, for example $this->_name or $this->_address:
207         if ($value !== $this->$property) {
208             // The default type to check against is 'generic', which cuts off non-scalar values:
209             !empty($type) OR $type = 'generic';
211             if (!empty($value) && BaseModel::checkParameter($value, $type) === false) {
212                 throw new EfrontException("Invalid type '{$type}' for '{$property}'");
213             }
215             if ($value && $type == 'generic' && @unserialize($value) === false) {
216                 $value = htmlspecialchars(strip_tags($value), ENT_COMPAT, 'UTF-8',false);
217             } else if ($value && $type == 'wysiwig') {
218                 $value = TemplateController::purify($value);
219             }
221             $this->$property = $value;
222             $this->_must_persist = true;
223         }
225         return $this;
226     }

Forms submitted to the following URLs were discovered to be vulnerable:

http://[IP]/Banners/add/1 [name parameter]
http://[IP]/Glossary/add/1 [term parameter]
http://[IP]/RandomDataPopulator/add/1 [name parameter]
http://[IP]/audiences/add/1 [name parameter]
http://[IP]/branches/add/1 [name parameter]
http://[IP]/categories/add/1 [name parameter]
http://[IP]/certificates/add/1 [name parameter]
http://[IP]/curriculums/add/1 [name parameter]
http://[IP]/discussions/course-id/180/add-topic/1/popup/1 [title parameter]
http://[IP]/jobs/add/1 [name parameter]
http://[IP]/payments/op/price_tracks/add/1 [discount_type parameter]
http://[IP]/reports/op/courses [filter_name parameter]
http://[IP]/skill-tests/add/1/quick-add/1 [name parameter]
http://[IP]/skills/add/1 [name parameter]


2019-07-29 - Vendor disclosure
2019-07-31 - Vendor acknowledged issues under review
2019-08-13 - Vendor acknowledged work to fix issues & testing
2019-08-30 - Vendor patched/released new version
2019-09-03 - Public disclosure


Discovered by Yuri Kramarz of Security Advisory EMEAR