Full title: Gibbon School Platform Authenticated PHP Deserialization Exploit 
Category: web applications
Platform: php
A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`. As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.

# 0day.today @ http://0day.today/