Pimcore
Monthly
An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3.
An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.
Pimcore is an Open Source Data & Experience Management Platform. [CVSS 4.9 MEDIUM]
Pimcore versions prior to 12.3.1 and 11.5.14 fail to properly validate authorization on the static routes API endpoint, allowing authenticated users without proper permissions to view sensitive route configurations including regex patterns and controller mappings. Public exploit code exists for this vulnerability, and no patch is currently available. The issue affects both PHP and Pimcore installations where backend users with limited privileges could gain unauthorized access to routing infrastructure details.
Pimcore versions up to 12.3.1 is affected by insertion of sensitive information into log file (CVSS 8.6).
Blind SQL injection in Pimcore's Admin Search Find API allows authenticated attackers to extract database information through inferential techniques, bypassing the incomplete mitigation from a prior patch that only removed comment-based attacks. The vulnerability affects Pimcore versions prior to 12.3.1 and 11.5.14, with public exploit code available. Patched versions are available and should be deployed immediately.
A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as problematic was found in Pimcore 11.4.2. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3.
An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.
Pimcore is an Open Source Data & Experience Management Platform. [CVSS 4.9 MEDIUM]
Pimcore versions prior to 12.3.1 and 11.5.14 fail to properly validate authorization on the static routes API endpoint, allowing authenticated users without proper permissions to view sensitive route configurations including regex patterns and controller mappings. Public exploit code exists for this vulnerability, and no patch is currently available. The issue affects both PHP and Pimcore installations where backend users with limited privileges could gain unauthorized access to routing infrastructure details.
Pimcore versions up to 12.3.1 is affected by insertion of sensitive information into log file (CVSS 8.6).
Blind SQL injection in Pimcore's Admin Search Find API allows authenticated attackers to extract database information through inferential techniques, bypassing the incomplete mitigation from a prior patch that only removed comment-based attacks. The vulnerability affects Pimcore versions prior to 12.3.1 and 11.5.14, with public exploit code available. Patched versions are available and should be deployed immediately.
A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as problematic was found in Pimcore 11.4.2. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.