Vulnerability: PHP Object Injection in GOsa_Filter_Settings Cookie

Vulnerability: PHP Object Injection in GOsa_Filter_Settings Cookie

CVE-2019-14466 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a crafted cookie value, because unserialize is used to restore filter settings from a cookie.

Learn more about our Web App Pen Testing.