3585 matches found
Design/Logic Flaw
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...
CVE-2014-8684
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...
CVE-2014-8684
CVE-2014-8684 affects CodeIgniter before 3.0 and Kohana 3.2.3 and earlier, and 3.3.x through 3.3.2. The issue arises from using standard string comparison operators to compare cryptographic hashes, which enables remote attackers to spoof session cookies and conduct PHP object injection attacks. E...
CVE-2014-8684
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...
CVE-2017-14143
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...
CVE-2017-14143
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...
Design/Logic Flaw
The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...
CVE-2017-14141
The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...
Hardcoded credentials
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...
CVE-2017-14141
The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...
CVE-2017-14143
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...
CVE-2017-14143
CVE-2017-14143 affects Kaltura prior to 13.2.0. The getUserzoneCookie function uses a hardcoded cookie secret to sign cookies, allowing remote attackers to bypass the intended protection and perform PHP object injection, resulting in arbitrary PHP code execution via a crafted userzone cookie. Pub...
CVE-2017-14141
CVE-2017-14141 affects Kaltura Server prior to 13.2.0. A vulnerability in the wiki_decode Developer System Helper in the admin panel allows remote attackers to perform PHP object injection and execute arbitrary PHP code via a specially crafted serialized object. Impact: arbitrary code execution w...
CVE-2017-14141
The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...
Remote Code Execution (RCE)
Symfony is vulnerable to remote code execution RCE. A malicious user can pass a serialized PHP object to YAML:parse or Yaml\Parser::parse functions to inject and execute arbitrary code...
Remote Code Execution (RCE)
Slim is vulnerable to Remote Code Execution RCE through PHP Object Injections. A malicious user can inject and execute arbitrary code when deserialising a SessionCookie object...
PHP Object Injection And Arbitrary Code Execution
anchorcms/anchor-cms is vulnerable to PHP object injection and arbitrary code execution. The vulnerability is possible because system/session/drivers/cookie.php does not filter malicious serialized objects in a cookie, allowing attackers to inject PHP objects and execute arbitrary PHP code...
My Geo Posts Free <= 1.2 - Unauthenticated PHP Object Injection
The plugin my-geo-posts-free insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. Attack is exploitable over HTTP requests to sites with the my-geo-posts-free Plugin. The original researcher notifi...
NextGEN Gallery geo <= 1.0 - Unauthenticated PHP Object Injection
The plugin nextgen-gallery-geo insecurely trusts serialized data submitted over AJAX requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. The original researcher notified the WordPress Plugins team. Attack is exploitable over AJAX calls sites with the...
Row Seats Core <= 2.66 - Unauthenticated PHP Object Injection
The plugin row-seats insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. This vulnerability was patched in version 2.68, information is being released now as a disclosure period has expired. PoC...