Published: 04/04/2019 Updated: 18/03/2020

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 655

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

An issue exists in Pimcore prior to 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pimcore pimcore

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, ...

A collection of Metasploit modules

This repo contains a collection of Metasploit modules Included modules Totaljs < 324 Directory Traversal (CVE-2019-8903) CMS Made Simple (CMSMS) Showtime2 < 363 File Upload RCE (CVE-2019-9692) Pimcore from 400 to 566 Unserialize RCE (CVE-2019-10867) Samsung SmartTV scanner How to Cloning the repo git clone githubcom/certimetergroup/metasploit-

CWE-502 https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998 https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73 http://packetstormsecurity.com/files/152667/Pimcore-Unserialize-Remote-Code-Execution.html http://www.rapid7.com/db/modules/exploit/multi/http/pimcore_unserialize_rce https://www.exploit-db.com/exploits/46783/https://blog.certimetergroup.com/it/articolo/security/polyglot_phar_deserialization_to_rce https://nvd.nist.gov https://github.com/certimetergroup/metasploit-modules https://www.exploit-db.com/exploits/46783

CVE-2019-10867

Vulnerability Summary

Vulnerability Trend

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect