Idealzho

**Name of the Vulnerable Software and Affected Versions** Pippo version 1.11.0 **Description** An issue was discovered where the `SerializationSessionDataTranscoder.decode()` function calls `ObjectInputStream.readObject()` to deserialize a `SessionData` object without checking the object types. This allows an attacker to create a malicious object, base64 encode it, and place it in the `PIPP SESSION` field of a cookie, potentially leading to remote code execution when the cookie is sent. **Recommendations** For Pippo version 1.11.0, as a temporary workaround, consider disabling the `SerializationSessionDataTranscoder.decode()` function until a patch is available. Restrict access to the `ObjectInputStream.readObject()` method to minimize the risk of exploitation. Avoid using the `PIPP SESSION` field in cookies until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pippo versions prior to 1.11.1 **Description** The issue allows remote code execution via a command to java.lang.ProcessBuilder. This is because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling. **Recommendations** For versions prior to 1.11.1, update to version 1.11.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the XstreamEngine component until a patch is available.