CVE-2014-8791

Tuleap < 7.7 - Authenticated PHP Object Injection via Project Registration Data Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-8791. PoCs published by Metasploit, including Metasploit module exploits/unix/webapp/tuleap_unserialize_exec.

AI-analyzed exploit summary This Metasploit module exploits a PHP object injection vulnerability in Tuleap <= 7.6-4 via an authenticated POST request to 'project/register.php'. It leverages a crafted serialized payload to trigger arbitrary code execution through the destructor method of the Jabbex class.

Description

project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/35545

View Code ZIP pw:eip

This Metasploit module exploits a PHP object injection vulnerability in Tuleap <= 7.6-4 via an authenticated POST request to 'project/register.php'. It leverages a crafted serialized payload to trigger arbitrary code execution through the destructor method of the Jabbex class.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Tuleap <= 7.6-4

Auth required

Prerequisites: Valid credentials for Tuleap · sys_create_project_in_one_step option disabled

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb