oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: Fwd: Remote code execution in Pimcore CMS

From: Pedro Ribeiro <pedrib () gmail com>
Date: Sat, 19 Apr 2014 11:54:19 +0100
Resending this as it hasn't been picked up most likely because of the lack
of "CVE request" in the subject line.

Regards
Pedro
---------- Forwarded message ----------
From: "Pedro Ribeiro" <pedrib () gmail com>
Date: 14 Apr 2014 10:16
Subject: Remote code execution in Pimcore CMS
To: <oss-security () lists openwall com>
Cc: "Bernhard Rusch" <Bernhard.Rusch () elements at>

Hi,

I have discovered a PHP object injection in Pimcore CMS.

Depending on the PHP version under which Pimcore is running, it is possible
to achieve remote code execution in the worst case, and arbitrary file
deletion at best.

Please find attached the report, which is also available at

https://github.com/pedrib/PoC/blob/master/pimcore-2.1.0.txt

Can you please provide a CVE number for this?

Thanks in advance.

Regards
Pedro

Attachment: pimcore-2.1.0.txt
Description:

Previous By Date Next
Previous By Thread Next

Current thread: