CVE-2018-1000525

Name of the Vulnerable Software and Affected Versions openpsa versions prior to the version containing commit 097eae0

Description The issue concerns a PHP Object Injection vulnerability. It occurs when form data passed as GET request variables is specially crafted to contain serialized PHP objects, potentially leading to information disclosure and remote code execution. The vulnerability can be exploited through specially crafted GET request variables.

Recommendations For versions prior to the version containing commit 097eae0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to sensitive data and validating all GET request variables to prevent the injection of malicious serialized PHP objects. Avoid using user-supplied input in the deserialization process until the issue is resolved.