Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Pippo 安全漏洞
Vulnerability Description
Pippo是一款基于Java的Web框架。 Pippo 1.11.0版本中存在安全漏洞,该漏洞源于‘SerializationSessionDataTranscoder.decode()’函数没有检查SessionData对象类型就调用‘ObjectInputStream.readObject()’函数进行反序列化。远程攻击者可利用该漏洞执行代码。
CVSS Information
N/A
Vulnerability Type
N/A