-- [ Security Advisory: PHP Object Injection in e107 CMS 2.x (CVE-2025-61505)

Published Date: October 10, 2025
CVE ID: CVE-2025-61505
 
--[ Summary
 
A PHP Object Injection vulnerability (CWE-502: Deserialization of 
Untrusted Data) was discovered in the installation script (install.php) 
of e107 CMS version 2.3.3. The vulnerability allows unauthenticated 
remote attackers to craft malicious serialized data, potentially leading 
to arbitrary code execution, data manipulation, or other malicious actions,
depending on the presence of exploitable classes in the e107 codebase or its 
dependencies.

--[ Affected Software
 
Product: e107 CMS
Versions: <= 2.3.3
Component: Installation script (install.php)
 
--[ Vulnerability Details
 
The e107 CMS installation script (install.php) processes user-supplied 
input from the $_POST['previous_steps'] parameter, which is decoded from 
base64 and passed directly to the PHP unserialize() function without validation.
This occurs in two locations:
 
Global Scope:
https://github.com/e107inc/e107/blob/29b7e6d3b3e8936b590186b0f309f56f768a4958/install.php#L266
 
if(isset($_POST['previous_steps'])) {
    $tmp = unserialize(base64_decode($_POST['previous_steps']));
    $override = (isset($tmp['paths']) && isset($tmp['paths']['hash'])) ? 
        array('site_path'=>$tmp['paths']['hash']) : array();
    unset($tmp);
}
 
e_install Class Constructor:
https://github.com/e107inc/e107/blob/29b7e6d3b3e8936b590186b0f309f56f768a4958/install.php#L390

if(isset($_POST['previous_steps'])) {
    $this->previous_steps = unserialize(base64_decode($_POST['previous_steps']));
    $tmpadminpass2 = (isset($this->previous_steps['admin'])) ? 
        $this->previous_steps['admin']['password'] : '';
    $this->previous_steps = $tp->filter($this->previous_steps);
    $this->previous_steps['admin']['password'] = $tmpadminpass2;
    unset($_POST['previous_steps']);
    unset($tmpadminpass2);
}
 
This insecure deserialization allows an attacker to submit a crafted
base64-encoded serialized string via the previous_steps parameter.

--[ Mitigation

Remove install.php: Delete the installation script after completing CMS setup.
Restrict Access: Use server configuration (e.g., .htaccess) to block access to install.php.

--[ Disclosure Timeline

2025-08-25: Vulnerability discovered 
2025-10-10: CVE-2025-61505 assigned by MITRE.
2025-10-10: Public advisory published.

--[ References
 
e107 CMS Official Website: https://e107.org
e107 CMS GitHub Repository: https://github.com/e107inc/e107
CVE Record: CVE-2025-61505 (to be updated upon publication)
CWE-502: Deserialization of Untrusted Data: https://cwe.mitre.org/data/definitions/502.html

--[ 	Index	 ]--