VYPR
High severityNVD Advisory· Published Apr 21, 2014· Updated Jun 17, 2026

CVE-2014-2921

CVE-2014-2921

Description

The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pimcore/pimcorePackagist
>= 1.4.9, < 2.2.02.2.0

Affected products

5
  • Pimcore/Pimcore4 versions
    cpe:2.3:a:pimcore:pimcore:1.4.9:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:pimcore:pimcore:1.4.9:*:*:*:*:*:*:*
    • cpe:2.3:a:pimcore:pimcore:1.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pimcore:pimcore:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:pimcore:pimcore:2.2.0:*:*:*:*:*:*:*
  • ghsa-coords
    Range: >= 1.4.9, < 2.2.0

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.