CVE-2014-2922

Name of the Vulnerable Software and Affected Versions pimcore versions 1.4.9 through 2.1.0

Description The issue concerns the getObjectByToken function in Newsletter.php within the Pimcore Tool Newsletter module. It fails to properly handle an object obtained by unserializing a pathname, allowing remote attackers to conduct PHP object injection attacks. This can lead to the deletion of arbitrary files via vectors involving a Zend Http Response Stream object.

Recommendations For pimcore versions 1.4.9 through 2.1.0, consider disabling the getObjectByToken function in Newsletter.php until a patch is available to prevent PHP object injection attacks. Restrict access to the Pimcore Tool Newsletter module to minimize the risk of exploitation.