CVE-2013-5350

OpenPNE <3.6.13.1-3.8.9.1 - Code Injection

Title source: llm
STIX 2.1

Description

The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 before 3.6.13.1 and 3.8.9 before 3.8.9.1 does not properly validate login data in HTTP Cookie headers, which allows remote attackers to conduct PHP object injection attacks, and execute arbitrary PHP code, via a crafted serialized object.

References (5)

Core 5
Core References
Vendor Advisory x_refsource_confirm
https://www.openpne.jp/archives/12293/
Third Party Advisory third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN69986880/index.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/54043
Vendor Advisory x_refsource_misc
http://secunia.com/secunia_research/2014-1/
Third Party Advisory third-party-advisory x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000009

Scores

EPSS 0.0153
EPSS Percentile 71.7%

Details

CWE
CWE-20
Status published
Products (2)
tejimaya/openpne 3.6.13
tejimaya/openpne 3.8.9
Published Jan 24, 2014
Tracked Since Feb 18, 2026