Vulnerability CVE-2014-2293
Published: 2018-03-26

Description:
Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.

See advisories in our WLB2 database:
Topic
Author
Date
High
Zikula Application Framework <= 1.3.6 Multiple PHP Object Injection Vulnerabilities
Egidio Romano
30.11.2014

Type:

CWE-94

 (Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Zikula -> Zikula application framework 

 References:
http://karmainsecurity.com/KIS-2014-02
https://exchange.xforce.ibmcloud.com/vulnerabilities/91786
https://exchange.xforce.ibmcloud.com/vulnerabilities/91787
https://secuniaresearch.flexerasoftware.com/secunia_research/2014-2/
Copyright 2024, cxsecurity.com

 

Back to Top