CVE-2014-1613
Dotclear < 2.6.2 - Remote Code Execution via Serialized Object in dc_passwd Cookie
Title source: llmDescription
Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php.
References (2)
Core 2
Core References
Exploit x_refsource_misc
https://labs.mwrinfosecurity.com/advisories/2014/05/14/dotclear-php-object-injection/
Patch, Vendor Advisory x_refsource_confirm
http://dotclear.org/blog/post/2014/01/20/Dotclear-2.6.2
Scores
EPSS
0.0228
EPSS Percentile
81.0%
Details
CWE
CWE-94
Status
published
Products (25)
dotclear/dotclear
2.0 (10 CPE variants)
dotclear/dotclear
2.0.1
dotclear/dotclear
2.0.2
dotclear/dotclear
2.1
dotclear/dotclear
2.1.1
dotclear/dotclear
2.1.3
dotclear/dotclear
2.1.4
dotclear/dotclear
2.1.5
dotclear/dotclear
2.1.6
dotclear/dotclear
2.1.7
... and 15 more
Published
May 16, 2014
Tracked Since
Feb 18, 2026