CVE-2023-46817

Name of the Vulnerable Software and Affected Versions phpFox versions prior to 4.8.14

Description An issue was discovered where the url request parameter passed to the "/core/redirect" route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code.

Recommendations For versions prior to 4.8.14, update to version 4.8.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the /core/redirect route or disabling the use of the unserialize() function until a patch is available. Avoid using the url request parameter in the affected route until the issue is resolved.