The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 prior to 3.6.13.1 and 3.8.9 prior to 3.8.9.1 does not properly validate login data in HTTP Cookie headers, which allows remote malicious users to conduct PHP object injection attacks, and execute arbitrary PHP code, via a crafted serialized object.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
tejimaya openpne 3.6.13 |
||
tejimaya openpne 3.8.9 |