Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Using PHP’s unserialize() function on data that can be controlled by users is dangerous because it allows attackers to inject specially crafted input. This can cause the application to execute malicious code or behave unexpectedly.
Impact#
If exploited, attackers could execute arbitrary code, escalate privileges, or manipulate application data, potentially leading to data breaches, server compromise, or complete takeover of the application. This threatens both user data and overall system integrity.