**Vulnerability Information:** - **Description**: Post-Auth Unsafe Deserialization on BasePage (AJAX) - **Severity**: Critical (CVE-2021-21247) - **Affected Versions**: <4.0.2 - **Patched Version**: 4.0.3 **Impact**: The application's `BasePage` registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages except the login page. This listener decodes and deserializes the `data` query parameter, making it susceptible to unsafe deserialization attacks. **Exploit Example**: By submitting a POST request with a crafted `data` parameter, an attacker can exploit this vulnerability. **Patches**: The issue was fixed in version 4.0.3 by encrypting the serialization payload with secrets only known to the server. **Credits**: This issue was discovered by `@pwntester`.