CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
78.7%
https://github.com/slimphp/Slim/blob/master/Slim/Middleware/SessionCookie.php#L127 Generally, it’s a bad idea to blindly unserialize() user-controllable input. https://www.owasp.org/index.php/PHP_Object_Injection EDIT - for people who don’t want to read the whole thread: The SessionCookie class is not used by default, you have to actually write your application to use it. So this means that the unserialize() -> RCE possibility is only for the select few apps that explicitly use this feature. The default is the native session driver, which is of course not vulnerable. The text was updated successfully, but these errors were encountered: All reactions