Arbitrary PHP Code Execution via PHP Object Injection in Tuleap Project Registration

Arbitrary PHP Code Execution via PHP Object Injection in Tuleap Project Registration

CVE-2014-8791 · MEDIUM Severity

AV:N/AC:M/AU:S/C:P/I:P/A:P

project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.

Learn more about our User Device Pen Test.