CVE-2014-2293

Name of the Vulnerable Software and Affected Versions Zikula Application Framework versions prior to 1.3.7 build 11

Description The issue allows remote attackers to conduct PHP object injection attacks, potentially leading to the deletion of arbitrary files or the execution of arbitrary PHP code. This can be achieved by providing crafted serialized data in specific parameters, including the authentication method ser or authentication info ser parameter to "index.php", or the zikulaMobileTheme parameter to "index.php".

Recommendations For versions prior to 1.3.7 build 11, update to version 1.3.7 build 11 or later to resolve the issue. As a temporary workaround, consider restricting access to the "index.php" endpoint or validating and sanitizing user input for the authentication method ser, authentication info ser, and zikulaMobileTheme parameters to minimize the risk of exploitation.