Critical severity9.8NVD Advisory· Published Jan 20, 2017· Updated May 13, 2026

CVE-2017-5543

Description

includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
intelliants/subrionPackagist	>= 4.0.5, < 4.1.0	4.1.0

Affected products

Intelliants/Subrion
cpe:2.3:a:intelliants:subrion:4.0.5:*:*:*:*:*:*:*

Patches

019dee20a38f

#297

https://github.com/intelliants/subrionJanur JangaraevJan 17, 2017via ghsa

commit

1 file changed · +1 −1

includes/classes/ia.core.users.php+1 −1 modified

@@ -706,7 +706,7 @@ protected function _getSalt()
 
 		if (isset($_COOKIE['salt']) && $_COOKIE['salt'])
 		{
-			$s = unserialize($_COOKIE['salt']);
+			$s = json_decode($_COOKIE['salt'], true);
 			if (isset($s['salt']) && isset($s['items']) && $s['salt'] && $s['items'])
 			{
 				$salt = $s;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/intelliants/subrion/issues/297nvdIssue TrackingPatchThird Party AdvisoryWEB
www.securityfocus.com/bid/95688nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-4j79-4m6q-77vfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-5543ghsaADVISORY
github.com/intelliants/subrion/commit/019dee20a38f39a5827aae2eb92f09b1f6afb7bbghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000