CVE-2019-10867

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 5.7.1

Description An issue allows an attacker with classes permission to exploit the unserialize function by sending a POST request to "/admin/class/bulk-commit" and passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.

Recommendations For versions prior to 5.7.1, update to version 5.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/class/bulk-commit" endpoint or limiting the ability to pass untrusted values in the data parameter until a patch is applied.