mattkennedy-zendesk
commented
2 years ago Hi @johan-lindahl,
Thanks for making us aware of this, and our apologies for the delay in responding to it. We have now fixed this issue, and have also published an advisory with some more information.
Please let us know if you have any questions.
Matt.
The oauth sample seems to be vulnerable to deserialization attacks.
https://github.com/zendesk/zendesk_api_client_php/blob/13f0c1f299796cc271a2b84c7eda98b3ab0c97a9/samples/auth/oauth.php#L28
https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection