[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability
wahnes at uni-koeln.de
Wed Oct 12 16:41:52 UTC 2022
Ralf Lang wrote:
> I had a closer look at the desirable values for this preference.
> In this specific case we need not argue if it is actually feasible for a
> regular user to inject malicious data.
> The desirable unserialization result does not contain objects. Thus, I
> can simply disallow any objects in the deserialisation result.
> I will provide a patch either tonight or tomorrow.
Thank you for taking the time to look into this.
I'm looking forward to your patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
More information about the horde