2 matches found
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
Summary vcrpy deserializes YAML cassette files with PyYAML's object-constructing loader yaml.CLoader / yaml.Loader instead of the safe loader yaml.CSafeLoader / yaml.SafeLoader. A cassette containing a !!python/object/apply: or similar tag therefore executes arbitrary Python code the moment the...
Internet Bug Bounty: PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
https://bugs.php.net/bug.php?id=69617 Description: ------------ The PHP unserialize function is considered unsafe due to its behavior regarding class instantiation; in cases where serialized data is attacker controlled, it can be tampered with, allowing for the instantiation of arbitrary PHP...