Squiz Matrix CMS up to 5.5.0.2/5.5.1.7/5.5.2.3/5.5.3.2 page_remote_content.inc POST Parameter deserialization
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
7.2 | $0-$5k | 0.00 |
A vulnerability has been found in Squiz Matrix CMS up to 5.5.0.2/5.5.1.7/5.5.2.3/5.5.3.2 (Content Management System) and classified as critical. Affected by this vulnerability is an unknown functionality of the file packages/cms/page_templates/page_remote_content/page_remote_content.inc. The manipulation as part of a POST Parameter leads to a deserialization vulnerability. The CWE definition for the vulnerability is CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parameter during processing of a Remote Content page type. This unserialization can be used to trigger the inclusion of arbitrary files on the filesystem (local file inclusion), and results in remote code execution.
The weakness was released 12/11/2019. This vulnerability is known as CVE-2019-19373 since 11/28/2019. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available.
Upgrading to version 5.5.0.3, 5.5.1.8, 5.5.2.4 or 5.5.3.3 eliminates this vulnerability.
Entry connected to this vulnerability is available at 147002.
Product
Type
Vendor
Name
Version
- 5.5.0.0
- 5.5.0.1
- 5.5.0.2
- 5.5.1.0
- 5.5.1.1
- 5.5.1.2
- 5.5.1.3
- 5.5.1.4
- 5.5.1.5
- 5.5.1.6
- 5.5.1.7
- 5.5.2.0
- 5.5.2.1
- 5.5.2.2
- 5.5.2.3
- 5.5.3.0
- 5.5.3.1
- 5.5.3.2
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.4VulDB Meta Temp Score: 7.2
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.5
NVD Vector: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: DeserializationCWE: CWE-502 / CWE-20
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Matrix CMS 5.5.0.3/5.5.1.8/5.5.2.4/5.5.3.3
Timeline
11/28/2019 🔍12/11/2019 🔍
12/12/2019 🔍
03/10/2024 🔍
Sources
Advisory: 155671Status: Not defined
CVE: CVE-2019-19373 (🔍)
See also: 🔍
Entry
Created: 12/12/2019 08:57Updated: 03/10/2024 13:15
Changes: 12/12/2019 08:57 (39), 12/12/2019 09:02 (18), 03/10/2024 13:10 (5), 03/10/2024 13:15 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.