CVE-2011-4962
SilverStripe CMS 2.4.0-2.4.5 - Remote Code Execution via Deserialization in User Comment Cookie
Title source: llmDescription
code/sitefeatures/PageCommentInterface.php in SilverStripe 2.4.x before 2.4.6 might allow remote attackers to execute arbitrary code via a crafted cookie in a user comment submission, which is not properly handled when it is deserialized.
References (4)
Core 4
Core References
Patch mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/04/30/1
Exploit, Patch x_refsource_confirm
https://github.com/silverstripe/silverstripe-cms/commit/d15e850
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/04/30/3
Vendor Advisory x_refsource_confirm
http://doc.silverstripe.org/framework/en/trunk/changelogs/2.4.6
Scores
EPSS
0.0392
EPSS Percentile
89.1%
Details
CWE
CWE-20
Status
published
Products (7)
silverstripe/cms
2.4.0 - 2.4.6Packagist
silverstripe/silverstripe
2.4.0
silverstripe/silverstripe
2.4.1
silverstripe/silverstripe
2.4.2
silverstripe/silverstripe
2.4.3
silverstripe/silverstripe
2.4.4
silverstripe/silverstripe
2.4.5
Published
Sep 17, 2012
Tracked Since
Feb 18, 2026