Pimcore < 5.71 Unserialize Remote Code Execution Exploit

This Metasploit module exploits a PHP unserialize in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability. The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method makes it possible to...

Pimcore Deserialization Vulnerability

In Pimcore versions prior to 5.7.1, a deserialization vulnerability exists in the handler function for the bulk-commit POST request. Recent assessments: space-r7 at September 12, 2019 6:07pm UTC reported: Details There exists a PHP deserialization vulnerability in Pimcore versions prior to 5.7.1...