CVE-2019-19373
N/A
N/A
Summary
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parameter during processing of a Remote Content page type. This unserialization can be used to trigger the inclusion of arbitrary files on the filesystem (local file inclusion), and results in remote code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://matrix.squiz.net/releases/5.5/5.5.3.3
- https://zxsecurity.co.nz/wp-content/uploads/2019/12/ZX%20Security%20Advisory%20-%20Squiz%20Matrix%20CMS%20-%20Multiple%20Vulnerabilities.pdf
- http://seclists.org/fulldisclosure/2019/Dec/34
- http://packetstormsecurity.com/files/155671/Squiz-Matrix-CMS-5.5.x.x-Code-Execution-Information-Disclosure.html
References
- https://matrix.squiz.net/releases/5.5/5.5.3.3
- https://zxsecurity.co.nz/wp-content/uploads/2019/12/ZX%20Security%20Advisory%20-%20Squiz%20Matrix%20CMS%20-%20Multiple%20Vulnerabilities.pdf
- http://seclists.org/fulldisclosure/2019/Dec/34
- http://packetstormsecurity.com/files/155671/Squiz-Matrix-CMS-5.5.x.x-Code-Execution-Information-Disclosure.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.