Pimcore Cms Dxp
Monthly
Twig sandbox bypass in Pimcore CMS/DXP 12.3.8 lets authenticated administrators escape the template sandbox by abusing empty checkMethodAllowed() and checkPropertyAllowed() implementations, enabling arbitrary method calls on internal PHP objects such as the DAO layer, Doctrine DBAL Connection, and PDO. Exploitation goes through a malicious Twig template injected via the DataObject ClassDefinition Layout\Text component and can lead to arbitrary file reads, arbitrary SQL execution, and potential remote code execution via PHP object gadget chains; the pimcore_* function wildcard broadens the bypass to every Pimcore Twig function. No public exploit identified at time of analysis, but VulnCheck has published an advisory describing the technique.
Twig sandbox bypass in Pimcore CMS/DXP 12.3.8 lets authenticated administrators escape the template sandbox by abusing empty checkMethodAllowed() and checkPropertyAllowed() implementations, enabling arbitrary method calls on internal PHP objects such as the DAO layer, Doctrine DBAL Connection, and PDO. Exploitation goes through a malicious Twig template injected via the DataObject ClassDefinition Layout\Text component and can lead to arbitrary file reads, arbitrary SQL execution, and potential remote code execution via PHP object gadget chains; the pimcore_* function wildcard broadens the bypass to every Pimcore Twig function. No public exploit identified at time of analysis, but VulnCheck has published an advisory describing the technique.