HIGH
GHSA-52pr-7vmf-2w7x
Concrete CMS is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components
Details
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. The Concrete CMS security team thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting this ssue.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / concrete5/concrete5
Introduced in:
0 Fixed in: 9.5.2 Fix
composer require concrete5/concrete5:^9.5.2