CVE-2019-19373

HIGH

Squiz Matrix CMS <5.5.0.3, 5.5.1 <5.5.1.8, 5.5.2 <5.5.2.4, 5.5.3 <5...

Title source: llm

Description

An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parameter during processing of a Remote Content page type. This unserialization can be used to trigger the inclusion of arbitrary files on the filesystem (local file inclusion), and results in remote code execution.

References (4)

Scores

CVSS v3 7.5
EPSS 0.0365
EPSS Percentile 87.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE
CWE-502
Status published

Affected Products (1)

squiz/matrix < 5.5.0.3

Timeline

Published Dec 11, 2019
Tracked Since Feb 18, 2026