Description

It was determined that your web application is performing Python object deserialization (using the pickle library) of user-supplied data. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data. Consult Web references section for more information about this issue.

Remediation

The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

References

Exploiting Misuse of Python's "Pickle"

Related Vulnerabilities

PHP mail function ASCII control character header spoofing vulnerability

WordPress Plugin Ninja Forms Contact Form-The Drag and Drop Form Builder for WordPress SQL Injection (2.9.55.1)

WordPress Plugin WP eCommerce 'collected_data[]' SQL Injection (3.8.4)

WordPress Plugin WordPress Photo Gallery by Gallery Bank SQL Injection (3.0.229)

WordPress Plugin WP eCommerce 'wpsc-transaction_results_functions.php' SQL Injection (3.8.7.5)

Severity

Medium

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Insecure Deserialization Denial Of Service Code Execution SQL Injection Code Execution Directory Traversal