Hi @MightyGorgon ,
unserialize() is called on $_COOKIE values without allowed_classes in multiple files (viewforum.php, viewtopic.php, forum.php, search.php, etc 25 instances). CWE-502. CVE IDs requested from MITRE.
Fix: add ['allowed_classes' false] or switch to json_decode().
Hi @MightyGorgon ,
unserialize() is called on $_COOKIE values without allowed_classes in multiple files (viewforum.php, viewtopic.php, forum.php, search.php, etc 25 instances). CWE-502. CVE IDs requested from MITRE.
Fix: add ['allowed_classes' false] or switch to json_decode().