CVE-2019-16317: Deserialization of Untrusted Data
(updated )
In Pimcore an attacker with limited privileges can trigger execution of a .phar file via a phar://
URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/
directory.
References
Detect and mitigate CVE-2019-16317 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →