CVE-2019-16317

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.
Configurations

Configuration 1

cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Information

Published : 2019-09-14 06:15

Updated : 2019-09-17 01:04


NVD link : CVE-2019-16317

Mitre link : CVE-2019-16317

Products Affected
No products.
CWE
CWE-502

Deserialization of Untrusted Data