Xananasx7

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.2 **Description** PHP Object Injection occurs due to insecure deserialization within the Permission, Cache, and Search components. These components use the `unserialize()` function on stored data without restricting allowed classes. An unauthenticated attacker can trigger arbitrary PHP object instantiation if a malicious serialized payload is placed in the database, which may lead to remote code execution. This process requires the attacker to have high privileges to write the malicious serialized data to the relevant store. **Recommendations** Upgrade to version 9.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.2 **Description** PHP Object Injection occurs due to the use of `unserialize()` calls within the Workflow, Form block, and File/Set components that do not implement the `allowed classes` restriction. This allows an unauthenticated attacker to trigger arbitrary PHP object instantiation if a malicious serialized payload is present in the database. **Recommendations** Update to version 9.5.2 or later.