CVE-2014-2293
moderate-risk
Published 2018-03-26
Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.
Do I need to act?
~
7.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Zikula Application Framework
Affected Vendors
References (8)
Third Party Advisory
http://karmainsecurity.com/KIS-2014-02
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/91786
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/91787
Third Party Advisory
https://secuniaresearch.flexerasoftware.com/secunia_research/2014-2/
Third Party Advisory
http://karmainsecurity.com/KIS-2014-02
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/91786
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/91787
Third Party Advisory
https://secuniaresearch.flexerasoftware.com/secunia_research/2014-2/
47
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
10/34 · Low
Exposure
5/34 · Minimal