cve

In March 2025 the Drupal Security Team released https://www.drupal.org/sa-contrib-2025-021 (assigned CVE-2025-3169) which addressed a Remote Code Execution vulnerability in the Artificial Intelligence (AI) contributed module, which is included in Drupal CMS.

I discovered this vulnerability, and I think it's an interesting one that warrants a closer look.

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the Adianti Framework.

The maintainers were responsive to the report and have released a fix in version 8.1

https://adiantiframework.com.br/changelog#810

Details of the report:

https://gist.github.com/mcdruid/8412cfb55f443a1344ff41af0ce1b215

This vulnerability was assigned CVE-2025-3590.

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in b1gMail.

The maintainer was very responsive to the report and addressed the issue quickly. Thanks!

https://github.com/b1gMail-OSS/b1gMail/releases/tag/7.4.1-pl2

Details of the report:

https://gist.github.com/mcdruid/cb0b848c12fd6a6bc0c1b3357b983d30

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the Pair Framework.

The maintainer, Viames, was very responsive to the report and addressed the issue quickly. Thanks!

https://github.com/viames/pair/releases/tag/2.0.0-beta

The fix was also backported to the earlier branch, with release 1.9.12

Details of the report:

As part of my research into Gadget Chains and PHP Object Injection, I discovered an unsafe deserialisation vulnerability in The Marketer OpenCart module.

There are Gadget Chains available in Opencart - including a few that I found and submitted to the PHPGGC project:

https://github.com/ambionics/phpggc/pull/199 (not yet merged).

The vulnerability in The Marketer module, combined with these Gadget Chains, allows remote unauthenticated RCE so it got a very high CVSS score.

As part of my research into Gadget Chains and PHP Object Injection, I discovered exploitable vulnerabilities in three different XOOPS modules.

The XOOPS team responded quickly to my report, and fixes were released not long after. They were very good to work with.

They published details here:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=79555

The specific fixes were:

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the MODX Login Extra project.

The MODX team responded immediately to my report and a fix was released within hours - very impressive!

They published details here:

https://community.modx.com/t/modx-login-extra-php-object-injection-vulne...

This was assessed as:

As part of my research into Gadget Chains and PHP Object Injection, I discovered a vulnerability in the Lightning OpenCart module.

(POP/) Gadget Chains exist in OpenCart (3 and 4) which allow Object Injection vulnerabilities to be exploited, for example to write arbitrary files or achieve Remote Code Execution.

The maintainer was very responsive to the report and addressed the issue quickly. Thanks!

Details: https://gist.github.com/mcdruid/f8153d7d535c0fcba920e83a64953d4e

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in multiple OpenCart modules named aridius_XYZ.

It appears that current "official" releases of Aridius modules are not vulnerable. However, it also appears to be common for "unofficial" versions of the extensions to be used.

At the time of discovery, at least one such unofficial version was available for free download from the OpenCart marketplace - this release was vulnerable.

The vulnerability is exploitable remotely without authentication.

I found multiple SQLi vulnerabilities in the Coinremitter OpenCart module.

The most serious of these allows an unauthenticated attacker to access any and all content stored in the database.

This potentially exposed credentials for a crypto currency wallet, as well as allowing full compromise of the site.

Details: https://gist.github.com/mcdruid/d4bdd8ffb8988bce9408c6bac40a15c5

This was assigned CVE-2025-1117