Vulnerabilities > CVE-2018-18628 - Deserialization of Untrusted Data vulnerability in Pippo 1.11.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |