Date: Sat, 19 Apr 2014 11:54:19 +0100 From: Pedro Ribeiro <pedrib@...il.com> To: oss-security@...ts.openwall.com, Cve-assign@...re.org Cc: Bernhard Rusch <Bernhard.Rusch@...ments.at> Subject: CVE request: Fwd: Remote code execution in Pimcore CMS Resending this as it hasn't been picked up most likely because of the lack of "CVE request" in the subject line. Regards Pedro ---------- Forwarded message ---------- From: "Pedro Ribeiro" <pedrib@...il.com> Date: 14 Apr 2014 10:16 Subject: Remote code execution in Pimcore CMS To: <oss-security@...ts.openwall.com> Cc: "Bernhard Rusch" <Bernhard.Rusch@...ments.at> Hi, I have discovered a PHP object injection in Pimcore CMS. Depending on the PHP version under which Pimcore is running, it is possible to achieve remote code execution in the worst case, and arbitrary file deletion at best. Please find attached the report, which is also available at https://github.com/pedrib/PoC/blob/master/pimcore-2.1.0.txt Can you please provide a CVE number for this? Thanks in advance. Regards Pedro Content of type "text/html" skipped View attachment "pimcore-2.1.0.txt" of type "text/plain" (7191 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ