[MEDIUM] Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError

PKSA-qv5y-crcz-9nxw GHSA-2jx3-65f3-xr8r

Affected version: <11.4.3

Reported by:
GitHub, FriendsOfPHP/security-advisories

[HIGH] Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation

PKSA-kbc7-dq62-pt7d GHSA-g7m4-839x-ch6v

Affected version: <11.4.3

Reported by:
GitHub, FriendsOfPHP/security-advisories