Arbitrary PHP Code Execution in Dotclear before 2.6.2

Arbitrary PHP Code Execution in Dotclear before 2.6.2

CVE-2014-1613 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php.

Learn more about our Web Application Penetration Testing UK.