Ali Maharramli

**Name of the Vulnerable Software and Affected Versions** Gibbon versions 26.0.00 and earlier **Description** The issue allows remote authenticated users to conduct PHP deserialization attacks via the `columnOrder` parameter in a POST request to the "/modules/System%20Admin/import run.php&type=externalAssessment&step=4" API endpoint. This can lead to deserialization attacks. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Gibbon versions 26.0.00 and earlier, restrict access to the System Admin module and consider patching as soon as possible to mitigate the risk of exploitation. As a temporary workaround, consider restricting the use of the `columnOrder` parameter in the affected API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.