Unrated severityNVD Advisory· Published Apr 21, 2014· Updated May 6, 2026

CVE-2014-2922

Description

The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.1.0 does not properly handle an object obtained by unserializing a pathname, which allows remote attackers to conduct PHP object injection attacks and delete arbitrary files via vectors involving a Zend_Http_Response_Stream object.

Affected products

Pimcore/Pimcore3 versions
cpe:2.3:a:pimcore:pimcore:2.1.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:pimcore:pimcore:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:1.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:1.5.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pedrib/PoC/blob/master/pimcore-2.1.0.txtnvdExploit
www.pimcore.org/en/resources/blog/pimcore+2.2+released_b442nvdVendor Advisory
openwall.com/lists/oss-security/2014/04/21/1nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000