Vulnerability Description
Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zikula | Zikula Application Framework | <= 1.3.6 |
Related Weaknesses (CWE)
References
- http://karmainsecurity.com/KIS-2014-02Third Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91786Third Party AdvisoryVDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91787Third Party AdvisoryVDB Entry
- https://secuniaresearch.flexerasoftware.com/secunia_research/2014-2/Third Party Advisory
- http://karmainsecurity.com/KIS-2014-02Third Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91786Third Party AdvisoryVDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91787Third Party AdvisoryVDB Entry
- https://secuniaresearch.flexerasoftware.com/secunia_research/2014-2/Third Party Advisory
FAQ
What is CVE-2014-2293?
CVE-2014-2293 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data ...
How severe is CVE-2014-2293?
CVE-2014-2293 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2014-2293?
Check the references section above for vendor advisories and patch information. Affected products include: Zikula Zikula Application Framework.