ID:6281 - Exploit for Code Injection in Pimcore - CVE-2014-2921

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Exploits ID:6281 - Exploit for Code Injection in Pimcore - CVE-2014-2921

ID:6281 - Exploit for Code Injection in Pimcore - CVE-2014-2921

Published: June 17, 2021


Vulnerability identifier: #VU41780
Vulnerability risk: Medium
CVE-ID: CVE-2014-2921
CWE-ID: CWE-94
Exploitation vector: Remote access
Vulnerable software:
Pimcore

Link to public exploit:


Vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing character.


Remediation

Install update from vendor's website.