CVE-2014-2922

pimcore 1.4.9-2.1.0 - PHP Object Injection and Arbitrary File Deletion via Newsletter Token Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2922. PoCs published by Pedro Ribeiro.

AI-analyzed exploit summary The exploit demonstrates a PHP object injection vulnerability in Pimcore CMS via the `unserialize()` function in the newsletter unsubscribe page. It includes two payloads: one for remote code execution (RCE) on PHP <= 5.3.3 and another for arbitrary file deletion on any PHP version.

Description

The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.1.0 does not properly handle an object obtained by unserializing a pathname, which allows remote attackers to conduct PHP object injection attacks and delete arbitrary files via vectors involving a Zend_Http_Response_Stream object.

Exploits (1)

exploitdb WORKING POC
by Pedro Ribeiro · textwebappshardware
https://www.exploit-db.com/exploits/43886

The exploit demonstrates a PHP object injection vulnerability in Pimcore CMS via the `unserialize()` function in the newsletter unsubscribe page. It includes two payloads: one for remote code execution (RCE) on PHP <= 5.3.3 and another for arbitrary file deletion on any PHP version.

Classification
Working Poc 100%
Attack Type
Rce | Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Pimcore CMS 1.4.9 to 2.1.0
No auth needed
Prerequisites: Access to the newsletter unsubscribe page · PHP <= 5.3.3 for RCE payload
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/04/21/1

Scores

EPSS 0.0290
EPSS Percentile 85.1%

Details

CWE
CWE-20
Status published
Products (3)
pimcore/pimcore 1.4.9
pimcore/pimcore 1.5.0
pimcore/pimcore 2.1.0
Published Apr 21, 2014
Tracked Since Feb 18, 2026