CVE-2019-14466

gosa-project/gosa-core

on github

Published

December 31, 2019

Severity

CVSS v3:

6.5 MEDIUM

CVSS v2:

5.5 MEDIUM

Description

The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a crafted cookie value, because unserialize is used to restore filter settings from a cookie.

References

https://lists.debian.org/debian-lts-announce/2019/08/msg00039.html
https://github.com/gosa-project/gosa-core/pull/29

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:gosa_project:gosa:2.7.5.2:::::::*	n/a	n/a	2.7.5.2
cpe:2.3:o:debian:debian_linux:8.0:::::::*	n/a	n/a	8.0

External Links

NVD - CVE-2019-14466