{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "5.7.1" } ] }, "events": [ { "introduced": "0" }, { "fixed": "14f1a25000cf6e2b23ee675914610cd303d2cf43" }, { "fixed": "38a29e2f4f5f060a73974626952501cee05fda73" } ], "repo": "https://github.com/pimcore/pimcore", "type": "GIT" } ] } ], "details": "An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.", "id": "CVE-2019-10867", "modified": "2026-04-01T23:10:19.177305252Z", "published": "2019-04-04T18:29:00.713Z", "references": [ { "type": "ADVISORY", "url": "http://www.rapid7.com/db/modules/exploit/multi/http/pimcore_unserialize_rce" }, { "type": "FIX", "url": "https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73" }, { "type": "ARTICLE", "url": "https://blog.certimetergroup.com/it/articolo/security/polyglot_phar_deserialization_to_rce" }, { "type": "EVIDENCE", "url": "https://www.exploit-db.com/exploits/46783/" }, { "type": "EVIDENCE", "url": "http://packetstormsecurity.com/files/152667/Pimcore-Unserialize-Remote-Code-Execution.html" }, { "type": "EVIDENCE", "url": "https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998" } ], "related": [ "SNYK-PHP-PIMCOREPIMCORE-173998" ], "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }