CVE-2014-2293

CRITICAL

Zikula Application Framework <1.3.7 build 11 - Code Injection

Title source: llm
STIX 2.1

Description

Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/91787
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/91786
Third Party Advisory x_refsource_misc
http://karmainsecurity.com/KIS-2014-02

Scores

CVSS v3 9.8
EPSS 0.0486
EPSS Percentile 90.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
zikula/zikula_application_framework < 1.3.6
Published Mar 26, 2018
Tracked Since Feb 18, 2026