4 matches found
CVE-2019-10867
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to...
Directory traversal
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different...
CVE-2019-10867
creationtimestamp| type| source ---|---|--- 2019-04-29 14:02:32+00:00| seen| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/pimcoreunserializerce.rb 2019-04-30 00:00:00+00:00| exploited| https://www.exploit-db.com/exploits/46783 2024-11-14 06:10:01+00:00|...
CVE-2019-10867
Pimcore before 5.7.1 contains an unserialize RCE vulnerability. An attacker with classes permission can send a POST to /admin/class/bulk-commit, which triggers unserialize when untrusted data is passed to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php. This exposes a remote c...