{"id":"CVE-2019-15521","details":"Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object.","aliases":["GHSA-2p2x-mw56-jc98"],"modified":"2026-03-14T09:32:58.287393Z","published":"2019-08-26T13:15:11.413Z","references":[{"type":"ADVISORY","url":"https://github.com/forkcms/library/releases/tag/1.4.1"},{"type":"FIX","url":"https://github.com/forkcms/library/pull/69"},{"type":"FIX","url":"https://github.com/spoon/library/blob/bda89be80b7e1ffdc93d3180d33a56927430298b/spoon/cookie/cookie.php#L117"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/forkcms/library","events":[{"introduced":"0"},{"fixed":"14686573e7ccf1edc424579803714d015d411e63"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4.1"}]}}],"versions":["1.3.1","1.3.10","1.3.11","1.3.12","1.3.13","1.3.14","1.3.15","1.3.16","1.3.17","1.3.18","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-15521.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2014-02-06"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}