Miggo Logo

CVE-2019-15521: Spoon Library as used in Fork CMS allows PHP object injection

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.70595%
Published
5/24/2022
Updated
7/17/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
spoon/librarycomposer< 1.4.11.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe deserialization in SpoonCookie::get() where user-controlled cookie data is passed directly to unserialize(). This matches the CWE-502 pattern. The GitHub advisory specifically references line 117 in cookie.php containing the unserialize call. The set method's use of serialize() creates the attack surface by persisting serialized data. The patch in ForkCMS replaced these serialize/unserialize calls with JSON encoding/decoding to eliminate object injection risks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Spoon Li*r*ry t*rou** ****-**-**, *s us** in *ork *MS ***or* *.*.* *n* ot**r pro*u*ts, *llows P*P o*j**t inj**tion vi* * *ooki* *ont*inin* *n o*j**t.

Reasoning

T** vuln*r**ility st*ms *rom uns*** **s*ri*liz*tion in `Spoon*ooki*::**t()` w**r* us*r-*ontroll** *ooki* **t* is p*ss** *ir**tly to `uns*ri*liz*()`. T*is m*t***s t** *W*-*** p*tt*rn. T** *it*u* **visory sp**i*i**lly r***r*n**s lin* *** in `*ooki*.p*p