WordPress MarketPress plugin <=3.2.6 - PHP Object Injection vulnerability

PHP Object Injection vulnerability found by Robert R in WordPress MarketPress plugin versions =3.2.6 . Solution Update the WordPress MarketPress plugin to the latest available version at least 3.2.7...

WordPress Shoppable Images Lite plugin <=1.0.0 - Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerabilities

WordPress Shoppable Images Lite plugin Cross-Site Request Forgery CSRF/PHP Object Injection Vulnerabilities were found in the showadminnotices function. The value of $GET nonce variable is unserialized, which allows PHP object injection. Solution Update the plugin...

Design/Logic Flaw

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...

CVE-2014-8684

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...

CVE-2014-8684

CVE-2014-8684 affects CodeIgniter before 3.0 and Kohana 3.2.3 and earlier, and 3.3.x through 3.3.2. The issue arises from using standard string comparison operators to compare cryptographic hashes, which enables remote attackers to spoof session cookies and conduct PHP object injection attacks. E...

CVE-2014-8684

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...

CVE-2017-14143

The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...

CVE-2017-14143

The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...

Design/Logic Flaw

The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...

CVE-2017-14141

The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...

Hardcoded credentials

The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...

CVE-2017-14141

The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...

CVE-2017-14143

CVE-2017-14143 affects Kaltura prior to 13.2.0. The getUserzoneCookie function uses a hardcoded cookie secret to sign cookies, allowing remote attackers to bypass the intended protection and perform PHP object injection, resulting in arbitrary PHP code execution via a crafted userzone cookie. Pub...

CVE-2017-14143

The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...

CVE-2017-14141

CVE-2017-14141 affects Kaltura Server prior to 13.2.0. A vulnerability in the wiki_decode Developer System Helper in the admin panel allows remote attackers to perform PHP object injection and execute arbitrary PHP code via a specially crafted serialized object. Impact: arbitrary code execution w...

CVE-2017-14141

The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...

Remote Code Execution (RCE)

Symfony is vulnerable to remote code execution RCE. A malicious user can pass a serialized PHP object to YAML:parse or Yaml\Parser::parse functions to inject and execute arbitrary code...

Remote Code Execution (RCE)

Slim is vulnerable to Remote Code Execution RCE through PHP Object Injections. A malicious user can inject and execute arbitrary code when deserialising a SessionCookie object...

PHP Object Injection And Arbitrary Code Execution

anchorcms/anchor-cms is vulnerable to PHP object injection and arbitrary code execution. The vulnerability is possible because system/session/drivers/cookie.php does not filter malicious serialized objects in a cookie, allowing attackers to inject PHP objects and execute arbitrary PHP code...

My Geo Posts Free <= 1.2 - Unauthenticated PHP Object Injection

The plugin my-geo-posts-free insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. Attack is exploitable over HTTP requests to sites with the my-geo-posts-free Plugin. The original researcher notifi...