The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
RCE
PHP
Code Injection
Pimcore
NVD
GitHub
Exploit-DB
VulDB
CVSS 2.0
7.5
EPSS
0.5%