Pimcore has improper quoting of columns when calling methods "getByUuid" & "exists" on UUID Model
CVE-2023-28108

7.9HIGH

Key Information:

Vendor

Pimcore
Status
Pimcore
Vendor
CVE Published:
16 March 2023

What is CVE-2023-28108?

Pimcore, a leading open-source data and experience management platform, has a notable vulnerability affecting versions prior to 10.5.19. This vulnerability arises from inadequate quoting in the UUID DAO model, leading to potential SQL injection risks. If developers utilize these methods without proper input validation, they may inadvertently allow the injection of custom SQL queries. It is crucial for users to upgrade to version 10.5.19 to receive the necessary patch or alternatively apply the patch manually to secure their applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

pimcore < 10.5.19

References

https://github.com/pimcore/pimcore/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pimcore/pimcore/pull/14633
x_refsource_MISC
https://github.com/pimcore/pimcore/commit/08e7ba56ae983c3...
x_refsource_MISC

CVSS V3.1

Score:
7.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.