CVE-2014-2293
CRITICALZikula Application Framework <1.3.7 build 11 - Code Injection
Title source: llmDescription
Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/91787
Third Party Advisory x_refsource_misc
https://secuniaresearch.flexerasoftware.com/secunia_research/2014-2/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/91786
Third Party Advisory x_refsource_misc
http://karmainsecurity.com/KIS-2014-02
Scores
CVSS v3
9.8
EPSS
0.0486
EPSS Percentile
90.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (1)
zikula/zikula_application_framework
< 1.3.6
Published
Mar 26, 2018
Tracked Since
Feb 18, 2026