High severityNVD Advisory· Published Apr 21, 2014· Updated Jun 17, 2026
CVE-2014-2921
CVE-2014-2921
Description
The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/pimcorePackagist | >= 1.4.9, < 2.2.0 | 2.2.0 |
Affected products
5Patches
Vulnerability mechanics
References
7- www.pimcore.org/en/resources/blog/pimcore+2.2+released_b442nvdPatchVendor AdvisoryWEB
- github.com/pedrib/PoC/blob/master/pimcore-2.1.0.txtnvdExploitWEB
- github.com/advisories/GHSA-g7pj-3v97-3vxpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-2921ghsaADVISORY
- openwall.com/lists/oss-security/2014/04/21/1nvdWEB
- github.com/pedrib/PoC/blob/caa03645e256a8b50f1101c983d39586ebc467ee/advisories/pimcore-2.1.0.txtghsaWEB
- github.com/pimcore/pimcore/commit/3cb2683e669b5644f180d362cfa9614c09bef280ghsaWEB
News mentions
0No linked articles in our index yet.