← Back

CVE-2019-19373

nvd nist
Published: Dec 11, 2019Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parameter during processing of a Remote Content page type. This unserialization can be used to trigger the inclusion of arbitrary files on the filesystem (local file inclusion), and results in remote code execution.

Affected (4)

Products: Squiz: Matrix
Squiz
1 product
Matrix
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Squiz
Matrix
From 5.5.0.0 to 5.5.0.3
Matrix
From 5.5.1.0 to 5.5.1.8
Matrix
From 5.5.2.0 to 5.5.2.4
Matrix
From 5.5.3.0 to 5.5.3.3

Related CWEs

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (8)

Source: cve@mitre.org
ExploitThird Party AdvisoryVDB Entry
Source: cve@mitre.org
ExploitMailing ListThird Party Advisory
Source: cve@mitre.org
Release Notes
Source: cve@mitre.org
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitMailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory

Timeline

No history available yet.