CVE-2019-16885

Name of the Vulnerable Software and Affected Versions OkayCMS versions prior to 2.3.5

Description The issue allows an unauthenticated attacker to achieve remote code execution by injecting a malicious PHP object via a crafted cookie. This can occur in two places: first in view/ProductsView.php using the cookie price filter, and second in api/Comparison.php via the cookie comparison.

Recommendations For versions prior to 2.3.5, update to version 2.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the view/ProductsView.php and api/Comparison.php files until a patch is available. Avoid using the cookies price filter and comparison in the affected API endpoints until the issue is resolved.