Vulnerabilities > CVE-2018-1000525 - Deserialization of Untrusted Data vulnerability in Openpsa2 Openpsa

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

openpsa2

CWE-502

NVD

Published: 2018-06-26

Updated: 2020-08-24

Summary

openpsa contains a PHP Object Injection vulnerability in Form data passed as GET request variables that can result in Possible information disclosure and remote code execution. This attack appear to be exploitable via Specially crafted GET request variable containing serialised PHP object. This vulnerability appears to have been fixed in after commit 097eae0.

Vulnerable Configurations

Part	Description	Count
Application	Openpsa2 Openpsa2 Openpsa -	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://0dd.zone/2018/05/31/OpenPSA-Object-Injection/
https://github.com/flack/openpsa/issues/191