CVE-2014-2921

Name of the Vulnerable Software and Affected Versions pimcore versions 1.4.9 through 2.0.0

Description The issue concerns the getObjectByToken function in the Pimcore Tool Newsletter module, which does not properly handle objects obtained from unserializing Lucene search data. This allows remote attackers to conduct PHP object injection attacks, potentially leading to the execution of arbitrary code. The attack vectors involve a Zend Pdf ElementFactory Proxy object and a pathname with a trailing 0 character.

Recommendations For pimcore versions 1.4.9 through 2.0.0, consider disabling the getObjectByToken function in the Pimcore Tool Newsletter module as a temporary workaround until a patch is available. Restrict access to the Newsletter.php file to minimize the risk of exploitation. Avoid using the getObjectByToken function with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.