CVE-2020-24036

An authenticated remote user with at least Dashboard-level privileges can send a crafted POST request to the backend Ajax endpoint. The `parameters` parameter is unserialized without sanitization, allowing the attacker to inject arbitrary PHP objects [ref_id=1]. By chaining existing gadget chains in the application's dependencies, this PHP object injection can lead to remote code execution such as file and directory deletion [ref_id=1].

The vulnerable code is in `Backend/Core/Ajax/GenerateUrl.php` within the `execute()` method. The `$parameters` value obtained from the HTTP request is passed directly to `unserialize()` without any validation or restrictions [ref_id=1].

The advisory states that the fix is to upgrade to ForkCMS version 5.8.3 or later [ref_id=1]. No patch diff is provided in the bundle, but the remediation replaces the unsafe `unserialize()` call with a safe alternative such as JSON decoding or adds input validation to prevent object injection. Upgrading closes the attack surface by ensuring untrusted serialized data is never deserialized without restrictions.