Solon Barroso Da Silva

**Name of the Vulnerable Software and Affected Versions** to3k Twittodon versions prior to commit b1c58a7d1dc664b38deb486ca290779621342c0b **Description** An insecure deserialization issue exists in the `download.php` script of the to3k Twittodon application. The `obj` parameter accepts base64-encoded data which is then passed to the `unserialize()` function without proper validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, potentially causing a denial of service. **Recommendations** Versions prior to commit b1c58a7d1dc664b38deb486ca290779621342c0b should be updated. As a temporary workaround, consider restricting access to the `download.php` script until a patch is available. Ensure the `obj` parameter is properly validated before being passed to the `unserialize()` function.