CVE-2021-25294

Name of the Vulnerable Software and Affected Versions: OpenCATS versions 0.9.5-3 and earlier

Description: The issue arises from the unsafe deserialization of requests to "index.php?m=activity", leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the activity:ActivityDataGrid parameter. The PHP object injection exploit chain can leverage an destruct magic method in guzzlehttp.

Recommendations: For OpenCATS versions 0.9.5-3 and earlier, consider disabling the unserialize function call in lib/DataGrid.php for the activity:ActivityDataGrid parameter until a patch is available. Restrict access to the "index.php?m=activity" endpoint to minimize the risk of exploitation. Avoid using the activity:ActivityDataGrid parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.