PT-2019-15824 · Squiz · Squiz Matrix Cms

Stephen Shkardoon

·

Publicado

2019-12-11

·

Atualizado

2019-12-19

·

CVE-2019-19373

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Squiz Matrix CMS versions 5.5.0 through 5.5.0.2 Squiz Matrix CMS versions 5.5.1 through 5.5.1.7 Squiz Matrix CMS versions 5.5.2 through 5.5.2.3 Squiz Matrix CMS versions 5.5.3 through 5.5.3.2
Description An issue allows a user to trigger arbitrary unserialization of a PHP object from a packages/cms/page templates/page remote content/page remote content.inc POST parameter during processing of a Remote Content page type. This unserialization can be used to trigger the inclusion of arbitrary files on the filesystem, resulting in remote code execution.
Recommendations For Squiz Matrix CMS versions 5.5.0 through 5.5.0.2, update to version 5.5.0.3 or later. For Squiz Matrix CMS versions 5.5.1 through 5.5.1.7, update to version 5.5.1.8 or later. For Squiz Matrix CMS versions 5.5.2 through 5.5.2.3, update to version 5.5.2.4 or later. For Squiz Matrix CMS versions 5.5.3 through 5.5.3.2, update to version 5.5.3.3 or later.

Exploit

Correção

RCE

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

CVE-2019-19373

Produtos afetados

Squiz Matrix Cms