PixelYourSite - Insecure deserialization

Description

PixelYourSite- Your smart PIXEL (TAG) and API Manager 10.1.1.1 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/modules/facebook/facebook-server-async-task.php.

Vulnerability

Skims by Fluid Attacks discovered a Insecure deserialization in PixelYourSite- Your smart PIXEL (TAG) and API Manager 10.1.1.1. The following is the output of the tool:

Skims output

 24 |
 25 | } catch (xception $ex) {
 26 | error_log($ex);
 27 | }
 28 |
 29 | return array();
 30 | }
 31 |
 32 | protected function run_action() {
 33 | try {
> 34 | $data = unserialize(base64_decode($_POST['data']));
 35 |
 36 | $events = is_array($data[0]) ? $data[0] : $data ;
 37 | if (empty($events)) {
 38 | return;
 39 | }
 40 |
 41 | foreach ($events as $event) {
 42 | FacebookServer()->sendEvent($event[""pixelIds""],$event[""event""]);
  43 |             }
  44 |
     ^ Col 0

Our security policy

We have reserved the ID CVE-2025-0769 to refer to this issue from now on.

Disclosure policy

System Information

• Version: PixelYourSite- Your smart PIXEL (TAG) and API Manager 10.1.1.1

Mitigation

The vendor released the following versions with the patch: PixelYourSite Free: 10.1.1.2 and PixelYourSite Pro: 11.2.2.3