CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4801 vulnerabilities reference this CWE, most recent first.
GHSA-VJ2F-C594-7C7C
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2020-5664"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-16T05:15:00Z",
"severity": "CRITICAL"
},
"details": "Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors.",
"id": "GHSA-vj2f-c594-7c7c",
"modified": "2022-05-24T17:34:22Z",
"published": "2022-05-24T17:34:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5664"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU92053563/index.html"
},
{
"type": "WEB",
"url": "https://xoonips.osdn.jp/modules/news/index.php?page=article\u0026storyid=13"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VJ3M-2G9H-VM4P
Vulnerability from github – Published: 2026-05-05 21:29 – Updated: 2026-05-05 21:29Multiple RCE vectors were found in Grav CMS. Three are critical, two are high.
1. Unsafe unserialize() in JobQueue — direct RCE gadget (Critical)
system/src/Grav/Common/Scheduler/JobQueue.php:465 calls unserialize(base64_decode(...)) without restricting allowed_classes. The Job class has call_user_func_array($this->command, $this->args) in its execution path, which is a direct gadget chain — inject a serialized Job with command = 'system' and args = ['whoami'].
The same codebase actually has a Serializable trait that correctly restricts classes, so this inconsistency stands out.
2. Unsafe unserialize() in FileCache — arbitrary class instantiation (Critical)
system/src/Grav/Framework/Cache/Adapter/FileCache.php:75 does unserialize($value, ['allowed_classes' => true]). That true allows instantiation of any class. If an attacker can write to the cache directory (via any file write primitive), they get object injection → RCE.
3. Unsafe unserialize() in Session (High)
system/src/Grav/Common/Session.php:116 — same allowed_classes => true pattern on session data. Lower severity since session storage is typically more restricted.
4. Command injection in git clone (Critical)
system/src/Grav/Console/Cli/InstallCommand.php:150 — only $this->destination uses escapeshellarg(). The $data['branch'], $data['url'], and $data['path'] variables go directly into the shell command without escaping. Admin-accessible via plugin/theme installation.
5. SSTI blocklist bypass (High)
system/src/Grav/Common/Security.php:267-286 — cleanDangerousTwig() blocks twig_array_map and twig_array_filter but not twig_array_reduce. Also missing file_get_contents and fwrite from the dangerous function blocklist. An attacker who can inject Twig templates can bypass the security filter.
All five are independently exploitable. The unserialize issues are the most concerning since they don't require admin access if there's any file write primitive.
— ProScan AppSec | proscan.one
Maintainer note — fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit c66dfeb5f (items #1, #2, #3, #4) and commit 38685ac25 + c66dfeb5f (item #5) — ships in 2.0.0-beta.2.
All five vectors addressed:
-
Scheduler\JobQueue unsafe unserialize —
serialized_jobnow carries a siblingserialized_job_hmacsigned withSecurity::getNonceKey().reconstructJobrefuses to unserialize an item whose HMAC is missing/mismatched and falls through to the safe structured-fields rebuild. A tampered queue file can no longer smuggle a forgedJobfor direct RCE viaJob::exec → call_user_func_array.
→system/src/Grav/Common/Scheduler/JobQueue.php -
FileCache unsafe unserialize — same HMAC-integrity approach; see separate GHSA-gwfr-jfjf-92vv.
→system/src/Grav/Framework/Cache/Adapter/FileCache.php -
Session::getFlashObject unsafe unserialize — payload now wrapped in a
v2|<hmac>|<serialized>envelope; legacy/forged envelopes return null instead of triggeringunserialize.
→system/src/Grav/Common/Session.php -
InstallCommand
git cloneshell injection —branch,url, andpathvalues read fromuser/.dependenciesare now passed throughescapeshellarg, with a--separator before url/path to block option-injection (e.g.--upload-pack=evil).
→system/src/Grav/Console/Cli/InstallCommand.php -
SSTI blocklist bypass —
twig_array_reduce(the specific name called out) plustwig_array_someandtwig_array_everyadded tocleanDangerousTwig'sCALLABLE_DANGEROUS_NAMESalongside the existingtwig_array_map/filter. More importantly, the new Twig content sandbox in 2.0.0-beta.2 blocks this class of attack at a different layer — see the sandbox work in38685ac25.
→system/src/Grav/Common/Security.php
Tests:
- tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php — 8 cases covering JobQueue + Session HMAC integrity.
- tests/unit/Grav/Common/Security/FileCacheSecurityTest.php.
- tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php — new twig_array_* entries in providerCallbackFunctions.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T21:29:02Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Multiple RCE vectors were found in Grav CMS. Three are critical, two are high.\n\n**1. Unsafe unserialize() in JobQueue \u2014 direct RCE gadget (Critical)**\n\n`system/src/Grav/Common/Scheduler/JobQueue.php:465` calls `unserialize(base64_decode(...))` without restricting `allowed_classes`. The `Job` class has `call_user_func_array($this-\u003ecommand, $this-\u003eargs)` in its execution path, which is a direct gadget chain \u2014 inject a serialized `Job` with `command = \u0027system\u0027` and `args = [\u0027whoami\u0027]`.\n\nThe same codebase actually has a `Serializable` trait that correctly restricts classes, so this inconsistency stands out.\n\n**2. Unsafe unserialize() in FileCache \u2014 arbitrary class instantiation (Critical)**\n\n`system/src/Grav/Framework/Cache/Adapter/FileCache.php:75` does `unserialize($value, [\u0027allowed_classes\u0027 =\u003e true])`. That `true` allows instantiation of any class. If an attacker can write to the cache directory (via any file write primitive), they get object injection \u2192 RCE.\n\n**3. Unsafe unserialize() in Session (High)**\n\n`system/src/Grav/Common/Session.php:116` \u2014 same `allowed_classes =\u003e true` pattern on session data. Lower severity since session storage is typically more restricted.\n\n**4. Command injection in git clone (Critical)**\n\n`system/src/Grav/Console/Cli/InstallCommand.php:150` \u2014 only `$this-\u003edestination` uses `escapeshellarg()`. The `$data[\u0027branch\u0027]`, `$data[\u0027url\u0027]`, and `$data[\u0027path\u0027]` variables go directly into the shell command without escaping. Admin-accessible via plugin/theme installation.\n\n**5. SSTI blocklist bypass (High)**\n\n`system/src/Grav/Common/Security.php:267-286` \u2014 `cleanDangerousTwig()` blocks `twig_array_map` and `twig_array_filter` but not `twig_array_reduce`. Also missing `file_get_contents` and `fwrite` from the dangerous function blocklist. An attacker who can inject Twig templates can bypass the security filter.\n\nAll five are independently exploitable. The unserialize issues are the most concerning since they don\u0027t require admin access if there\u0027s any file write primitive.\n\n\u2014 ProScan AppSec | proscan.one\n\n\n---\n\n## Maintainer note \u2014 fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`c66dfeb5f`](https://github.com/getgrav/grav/commit/c66dfeb5f) (items #1, #2, #3, #4) and commit [`38685ac25`](https://github.com/getgrav/grav/commit/38685ac25) + [`c66dfeb5f`](https://github.com/getgrav/grav/commit/c66dfeb5f) (item #5) \u2014 ships in **2.0.0-beta.2**.\n\nAll five vectors addressed:\n\n1. **Scheduler\\JobQueue unsafe unserialize** \u2014 `serialized_job` now carries a sibling `serialized_job_hmac` signed with `Security::getNonceKey()`. `reconstructJob` refuses to unserialize an item whose HMAC is missing/mismatched and falls through to the safe structured-fields rebuild. A tampered queue file can no longer smuggle a forged `Job` for direct RCE via `Job::exec \u2192 call_user_func_array`. \n \u2192 [`system/src/Grav/Common/Scheduler/JobQueue.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Scheduler/JobQueue.php)\n\n2. **FileCache unsafe unserialize** \u2014 same HMAC-integrity approach; see separate GHSA-gwfr-jfjf-92vv. \n \u2192 [`system/src/Grav/Framework/Cache/Adapter/FileCache.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Framework/Cache/Adapter/FileCache.php)\n\n3. **Session::getFlashObject unsafe unserialize** \u2014 payload now wrapped in a `v2|\u003chmac\u003e|\u003cserialized\u003e` envelope; legacy/forged envelopes return null instead of triggering `unserialize`. \n \u2192 [`system/src/Grav/Common/Session.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Session.php)\n\n4. **InstallCommand `git clone` shell injection** \u2014 `branch`, `url`, and `path` values read from `user/.dependencies` are now passed through `escapeshellarg`, with a `--` separator before url/path to block option-injection (e.g. `--upload-pack=evil`). \n \u2192 [`system/src/Grav/Console/Cli/InstallCommand.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Console/Cli/InstallCommand.php)\n\n5. **SSTI blocklist bypass** \u2014 `twig_array_reduce` (the specific name called out) plus `twig_array_some` and `twig_array_every` added to `cleanDangerousTwig`\u0027s `CALLABLE_DANGEROUS_NAMES` alongside the existing `twig_array_map`/`filter`. More importantly, the new Twig content sandbox in 2.0.0-beta.2 blocks this class of attack at a different layer \u2014 see the sandbox work in [`38685ac25`](https://github.com/getgrav/grav/commit/38685ac25). \n \u2192 [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php)\n\n**Tests:**\n- [`tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/UnserializeIntegritySecurityTest.php) \u2014 8 cases covering JobQueue + Session HMAC integrity.\n- [`tests/unit/Grav/Common/Security/FileCacheSecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/FileCacheSecurityTest.php).\n- [`tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/CleanDangerousTwigTest.php) \u2014 new `twig_array_*` entries in `providerCallbackFunctions`.",
"id": "GHSA-vj3m-2g9h-vm4p",
"modified": "2026-05-05T21:29:02Z",
"published": "2026-05-05T21:29:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass"
}
GHSA-VJ47-XVV7-VCR5
Vulnerability from github – Published: 2023-12-20 15:30 – Updated: 2026-04-28 21:33Deserialization of Untrusted Data vulnerability in Master Slider Master Slider Pro.This issue affects Master Slider Pro: from n/a through 3.6.5.
{
"affected": [],
"aliases": [
"CVE-2023-47507"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-20T14:15:21Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in Master Slider Master Slider Pro.This issue affects Master Slider Pro: from n/a through 3.6.5.",
"id": "GHSA-vj47-xvv7-vcr5",
"modified": "2026-04-28T21:33:27Z",
"published": "2023-12-20T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47507"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/masterslider/wordpress-master-slider-pro-plugin-3-6-5-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VJ7V-2RFM-6P53
Vulnerability from github – Published: 2023-01-31 00:30 – Updated: 2023-02-07 21:30A CWE 502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. Affected Products: Data Center Expert (Versions prior to V7.9.0)
{
"affected": [],
"aliases": [
"CVE-2022-32521"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T23:15:00Z",
"severity": "CRITICAL"
},
"details": "A CWE 502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. Affected Products: Data Center Expert (Versions prior to V7.9.0)",
"id": "GHSA-vj7v-2rfm-6p53",
"modified": "2023-02-07T21:30:23Z",
"published": "2023-01-31T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32521"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-04_+Data_Center_Expert_Security_Notification.pdf\u0026p_Doc_Ref=SEVD-2022-165-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ9V-J9W9-C282
Vulnerability from github – Published: 2026-07-13 12:35 – Updated: 2026-07-13 12:35Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This issue affects 777: from n/a through <= 1.13.0.
{
"affected": [],
"aliases": [
"CVE-2026-57738"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T10:16:40Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This issue affects 777: from n/a through \u003c= 1.13.0.",
"id": "GHSA-vj9v-j9w9-c282",
"modified": "2026-07-13T12:35:04Z",
"published": "2026-07-13T12:35:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57738"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/triple-seven/vulnerability/wordpress-777-theme-1-13-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJF3-755P-P4FR
Vulnerability from github – Published: 2025-12-18 09:30 – Updated: 2026-01-20 15:32Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0.
{
"affected": [],
"aliases": [
"CVE-2025-64206"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T08:16:11Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through \u003c= 7.6.0.",
"id": "GHSA-vjf3-755p-p4fr",
"modified": "2026-01-20T15:32:31Z",
"published": "2025-12-18T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64206"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-php-object-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJH6-VPH2-J2Q4
Vulnerability from github – Published: 2025-07-19 06:30 – Updated: 2025-07-19 06:30The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
{
"affected": [],
"aliases": [
"CVE-2025-7696"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-19T05:15:22Z",
"severity": "CRITICAL"
},
"details": "The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.",
"id": "GHSA-vjh6-vph2-j2q4",
"modified": "2025-07-19T06:30:57Z",
"published": "2025-07-19T06:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7696"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/integration-for-contact-form-7-and-pipedrive/tags/1.2.3/integration-for-contact-form-7-and-pipedrive.php#L953"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3329002"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/integration-for-contact-form-7-and-pipedrive/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6980112b-a555-47a4-b2d7-f0187d52fc63?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJPG-WM6M-CJG7
Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2025-01-16 18:30In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-1856"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-20T13:15:15Z",
"severity": "HIGH"
},
"details": "\nIn Progress\u00ae Telerik\u00ae Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability.",
"id": "GHSA-vjpg-wm6m-cjg7",
"modified": "2025-01-16T18:30:57Z",
"published": "2024-03-20T15:32:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1856"
},
{
"type": "WEB",
"url": "https://docs.telerik.com/reporting/knowledge-base/deserialization-vulnerability-cve-2024-1801-cve-2024-1856"
},
{
"type": "WEB",
"url": "https://www.telerik.com/products/reporting.aspx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJRH-7RVQ-8GHW
Vulnerability from github – Published: 2025-07-11 06:30 – Updated: 2026-01-23 22:06The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-30025"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-11T06:15:24Z",
"severity": "MODERATE"
},
"details": "The communication protocol used between the\nserver process and the service control had a flaw that could lead to a local privilege escalation.",
"id": "GHSA-vjrh-7rvq-8ghw",
"modified": "2026-01-23T22:06:23Z",
"published": "2025-07-11T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30025"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/40/0e/03/cve-2025-30025pdf-en-US-485736.pdf"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/f2/28/d2/cve-2025-30025pdf-en-US-517962.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VM3J-G376-5MPF
Vulnerability from github – Published: 2023-01-10 18:30 – Updated: 2023-01-13 15:30Spitfire CMS 1.0.475 is vulnerable to PHP Object Injection.
{
"affected": [],
"aliases": [
"CVE-2022-47083"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-10T17:15:00Z",
"severity": "HIGH"
},
"details": "Spitfire CMS 1.0.475 is vulnerable to PHP Object Injection.",
"id": "GHSA-vm3j-g376-5mpf",
"modified": "2023-01-13T15:30:26Z",
"published": "2023-01-10T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47083"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5720.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.