QwikSec

Security Database

CVE

CWE

Training

CVE-2014-5297

Published: Oct 10, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://packetstormsecurity.com/files/128352/X2Engine-4.1.7-PHP-Object-Injection.html

x_refsource_MISC

http://x2community.com/topic/1804-important-security-patch/

x_refsource_CONFIRM

20140923 [KIS-2014-09] X2Engine <= 4.1.7 (SiteController.php) PHP Object Injection Vulnerability

mailing-list

x_refsource_BUGTRAQ

http://karmainsecurity.com/KIS-2014-09

x_refsource_MISC

20140923 [KIS-2014-09] X2Engine <= 4.1.7 (SiteController.php) PHP Object Injection Vulnerability

mailing-list

x_refsource_FULLDISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.