CVE-2014-2921

pimcore 1.4.9-2.0.0 - Remote Code Execution via Newsletter Import URL Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2921.

AI-analyzed exploit summary This exploit demonstrates a PHP object injection vulnerability in Pimcore CMS via unserialize() in the Newsletter.php file. It includes functional payloads for remote code execution (RCE) and arbitrary file deletion, leveraging Zend framework classes.

Description

The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character.

Exploits (1)

exploitdb WORKING POC
webappshardware
https://www.exploit-db.com/exploits/43886

This exploit demonstrates a PHP object injection vulnerability in Pimcore CMS via unserialize() in the Newsletter.php file. It includes functional payloads for remote code execution (RCE) and arbitrary file deletion, leveraging Zend framework classes.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pimcore CMS 1.4.9 to 2.1.0
No auth needed
Prerequisites: Access to the newsletter unsubscribe page · PHP <= 5.3.3 for RCE payload
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
http://www.pimcore.org/en/resources/blog/pimcore+2.2+released_b442
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/04/21/1

Scores

EPSS 0.0046
EPSS Percentile 64.8%

Details

CWE
CWE-94
Status published
Products (5)
pimcore/pimcore 1.4.9
pimcore/pimcore 1.5.0
pimcore/pimcore 2.1.0
pimcore/pimcore 2.2.0
pimcore/pimcore 1.4.9 - 2.2.0Packagist
Published Apr 21, 2014
Tracked Since Feb 18, 2026