#VU41780 Code Injection in Pimcore - CVE-2014-2921
Published: April 22, 2014 / Updated: June 17, 2021
Vulnerability identifier: #VU41780
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2014-2921
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Pimcore
Pimcore
Software vendor:
Pimcore
Pimcore
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing � character.
Remediation
Install update from vendor's website.