Pimcore
CVE-2022-31092
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the listing classes. This issue has been resolved in version 10.4.4. Users are advised to upgrade or to apple the patch manually. There are no known workarounds for this issue.
AnalysisAI
Pimcore is an Open Source Data & Experience Management Platform. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the listing classes. This issue has been resolved in version 10.4.4. Users are advised to upgrade or to apple the patch manually. There are no known workarounds for this issue. Affected products include: Pimcore. Version information: version 10.4.4..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
An issue was discovered in Pimcore before 5.7.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated cri
Blind SQL injection in Pimcore's Admin Search Find API allows authenticated attackers to extract database information th
Pimcore is an Open Source Data & Experience Management Platform. Rated high severity (CVSS 8.8), this vulnerability is r
Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22. Rated high severity (CVSS 8.8), th
Privilege Defined With Unsafe Actions in GitHub repository pimcore/pimcore prior to 10.5.23. Rated high severity (CVSS 8
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21. Rated high severity (CVSS 8.8), this vulnerability
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19. Rated high severity (CVSS 8.8), this vulnerability
An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code. Rated high
This affects the package pimcore/pimcore before 10.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely e
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validati
Pimcore is an open source data and experience management platform. Rated high severity (CVSS 8.7), this vulnerability is
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today