-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the pre-patch code using unserialize($data['name']) in the bulkCommitAction method. The patch replaced this with json_decode(), explicitly addressing insecure deserialization. Unserializing attacker-controlled data enables PHP object injection attacks when dangerous classes exist in the environment (PHAR deserialization/polyglot attacks). The direct replacement in the commit diff and CWE-502 classification confirm this as the root cause.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pimcore/pimcore | composer | < 5.7.1 | 5.7.1 |