CVE-2014-5297
X2Engine 2.8-4.1.7 - PHP Object Injection and Server-Side Request Forgery via Report Parameter
Title source: llmDescription
The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter.
References (5)
Core 5
Core References
Exploit x_refsource_misc
http://packetstormsecurity.com/files/128352/X2Engine-4.1.7-PHP-Object-Injection.html
Patch x_refsource_confirm
http://x2community.com/topic/1804-important-security-patch/
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/533513/100/0/threaded
Exploit x_refsource_misc
http://karmainsecurity.com/KIS-2014-09
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Sep/77
Scores
EPSS
0.0267
EPSS Percentile
83.9%
Details
CWE
CWE-94
Status
published
Products (2)
x2engine/x2engine
2.8
x2engine/x2engine
4.1.7
Published
Oct 10, 2014
Tracked Since
Feb 18, 2026