CVE-2014-1613

Dotclear < 2.6.2 - Remote Code Execution via Serialized Object in dc_passwd Cookie

Title source: llm
STIX 2.1

Description

Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php.

References (2)

Core 2

Scores

EPSS 0.0228
EPSS Percentile 81.0%

Details

CWE
CWE-94
Status published
Products (25)
dotclear/dotclear 2.0 (10 CPE variants)
dotclear/dotclear 2.0.1
dotclear/dotclear 2.0.2
dotclear/dotclear 2.1
dotclear/dotclear 2.1.1
dotclear/dotclear 2.1.3
dotclear/dotclear 2.1.4
dotclear/dotclear 2.1.5
dotclear/dotclear 2.1.6
dotclear/dotclear 2.1.7
... and 15 more
Published May 16, 2014
Tracked Since Feb 18, 2026