Submit #657302: pmTicket Project-Management-Software (https://github.com/issue-tracking-system/Project-Management-Software) up to commit 2ef379da2075f4761a2c9029cf91d073474e7486 Authentication Bypass via Insecure Deserializationinfo

TitlepmTicket Project-Management-Software (https://github.com/issue-tracking-system/Project-Management-Software) up to commit 2ef379da2075f4761a2c9029cf91d073474e7486 Authentication Bypass via Insecure Deserialization
DescriptionThis vulnerability exists in the loadLanguage function within the classes/class.database.php file. It occurs because arbitrary user input ($_COOKIE['logged']) is passed directly to the unserialize() function without proper validation. This insecure de-serialization enables an attacker to craft a malicious cookie value, leading to object injection which leads to authentication bypass.
Source⚠️ https://asciinema.org/a/kTWHQMM7n6QH98gGCW3e7T9xT
User
 Allan Njuguna (UID 57480)
Submission09/17/2025 17:09 (7 months ago)
Moderation09/28/2025 11:55 (11 days later)
StatusAccepted
VulDB entry326212 [pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486 Cookie class.database.php loadLanguage user_id deserialization]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!