Vulnerability Description
The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 before 3.6.13.1 and 3.8.9 before 3.8.9.1 does not properly validate login data in HTTP Cookie headers, which allows remote attackers to conduct PHP object injection attacks, and execute arbitrary PHP code, via a crafted serialized object.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tejimaya | Openpne | 3.6.13 |
Related Weaknesses (CWE)
References
- http://jvn.jp/en/jp/JVN69986880/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000009
- http://secunia.com/advisories/54043Vendor Advisory
- http://secunia.com/secunia_research/2014-1/Vendor Advisory
- https://www.openpne.jp/archives/12293/Vendor Advisory
- http://jvn.jp/en/jp/JVN69986880/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000009
- http://secunia.com/advisories/54043Vendor Advisory
- http://secunia.com/secunia_research/2014-1/Vendor Advisory
- https://www.openpne.jp/archives/12293/Vendor Advisory
FAQ
What is CVE-2013-5350?
CVE-2013-5350 is a vulnerability with a CVSS score of 7.5 (HIGH). The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 before 3.6.13.1 and 3.8.9 before 3.8.9.1 does not properly valid...
How severe is CVE-2013-5350?
CVE-2013-5350 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-5350?
Check the references section above for vendor advisories and patch information. Affected products include: Tejimaya Openpne.