Date: Mon, 14 Apr 2014 10:16:43 +0100 From: Pedro Ribeiro <pedrib@...il.com> To: oss-security@...ts.openwall.com Cc: Bernhard Rusch <Bernhard.Rusch@...ments.at> Subject: Remote code execution in Pimcore CMS Hi, I have discovered a PHP object injection in Pimcore CMS. Depending on the PHP version under which Pimcore is running, it is possible to achieve remote code execution in the worst case, and arbitrary file deletion at best. Please find attached the report, which is also available at https://github.com/pedrib/PoC/blob/master/pimcore-2.1.0.txt Can you please provide a CVE number for this? Thanks in advance. Regards Pedro Content of type "text/html" skipped View attachment "pimcore-2.1.0.txt" of type "text/plain" (7191 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ