Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
GitHub Security Advisory Draft — GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize on data from database columns and filesystem files without the allowedclasses restriction, enabling object injection if an attacker can control the serialized data source. Severity CVSS 3.1: 8...