Description
The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 before 3.6.13.1 and 3.8.9 before 3.8.9.1 does not properly validate login data in HTTP Cookie headers, which allows remote attackers to conduct PHP object injection attacks, and execute arbitrary PHP code, via a crafted serialized object.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://www.openpne.jp/archives/12293/
Third Party Advisory third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN69986880/index.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/54043
Vendor Advisory x_refsource_misc
http://secunia.com/secunia_research/2014-1/
Third Party Advisory third-party-advisory
x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000009
Scores
EPSS
0.0153
EPSS Percentile
71.7%
Details
CWE
CWE-20
Status
published
Products (2)
tejimaya/openpne
3.6.13
tejimaya/openpne
3.8.9
Published
Jan 24, 2014
Tracked Since
Feb 18, 2026