Research: PHP Object Injection in openmass

As part of my research into Gadget Chains and PHP Object Injection, I discovered an unsafe deserialisation vulnerability in the openmass project.

The maintainers responded quickly to the report, and put a fix in place the same day:

https://github.com/massgov/openmass/commit/1966c48ecee26e1c10479af00aa0f...

The vulnerability was never exposed on the public facing website.