Pimcore has improper quoting of columns when calling methods "getByUuid" & "exists" on UUID Model
CVE-2023-28108

7.8HIGH

Key Information:

Vendor
pimcore
Status
pimcore
Vendor
CVE Published:
16 March 2023

Summary

Pimcore, a leading open-source data and experience management platform, has a notable vulnerability affecting versions prior to 10.5.19. This vulnerability arises from inadequate quoting in the UUID DAO model, leading to potential SQL injection risks. If developers utilize these methods without proper input validation, they may inadvertently allow the injection of custom SQL queries. It is crucial for users to upgrade to version 10.5.19 to receive the necessary patch or alternatively apply the patch manually to secure their applications.

Affected Version(s)

pimcore < 10.5.19

References

https://github.com/pimcore/pimcore/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pimcore/pimcore/pull/14633
x_refsource_MISC
https://github.com/pimcore/pimcore/commit/08e7ba56ae983c3...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.