CWE-1321

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the ‘session’ HTTP GET parameter to wp-admin/upload.php.

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of “Object” via __proto__, causing the addition or modification of an existing property that will exist on all objects.

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.

The script ‘/adminui/error_details.php’ in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.