A remote code execution can be achieved by any user by setting a well crafted user's preference.
An attacker could use this vulnerability to execute code on the server as the codendiadm user.
CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
The method User::getRecentsElements() is using unserialize() on data that can be arbitrarily manipulated by a user through the REST API leading to an object injection.
You can find attached a proof of concept to demonstrate the vulnerability.
The CVE ID CVE-2017-7411 has been attributed to this vulnerability.
Thank you to Egidio Romano from Karma(In)Security to report and coordinate with us the disclosure of this vulnerability.