CVE-2014-5297

X2Engine 2.8-4.1.7 - PHP Object Injection and Server-Side Request Forgery via Report Parameter

Title source: llm
STIX 2.1

Description

The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter.

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/533513/100/0/threaded
Exploit x_refsource_misc
http://karmainsecurity.com/KIS-2014-09
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Sep/77

Scores

EPSS 0.0267
EPSS Percentile 83.9%

Details

CWE
CWE-94
Status published
Products (2)
x2engine/x2engine 2.8
x2engine/x2engine 4.1.7
Published Oct 10, 2014
Tracked Since Feb 18, 2026