PHP Object Injection Vulnerability in webEdition CMS Installer Script
CVE-2014-2302

9.8CRITICAL

Key Information:

Vendor

Webedition

Status
Webedition Cms
Vendor
CVE Published:
19 July 2018

What is CVE-2014-2302?

The installer script of webEdition CMS prior to version 6.2.7-s1 and version 6.3.x before 6.3.8-s1 is susceptible to PHP Object Injection attacks. Attackers can exploit this vulnerability by intercepting requests directed at update.webedition.org, potentially allowing them to execute arbitrary PHP code. This could compromise the integrity and security of the affected web applications, making prompt updates essential.

References

http://seclists.org/fulldisclosure/2014/May/147
mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/126861/webEdition-CM...
x_refsource_MISC
http://www.securityfocus.com/bid/67692
vdb-entryx_refsource_BID

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.