Pimcore SQL Injection Vulnerability in Admin Translations API
CVE-2023-30850

8.8HIGH

Key Information:

Vendor
Pimcore
Status
Pimcore
Vendor
CVE Published:
27 April 2023

Summary

A vulnerability exists in the Pimcore Experience Management Platform prior to version 10.5.21 that allows for SQL Injection via the admin translations API. This can result in unauthorized access to sensitive data. Users are advised to upgrade to version 10.5.21 to mitigate this risk. Additionally, users can apply the patch manually as a temporary solution. For more details and the patch, refer to the provided documentation.

Affected Version(s)

pimcore < 10.5.21

References

https://github.com/pimcore/pimcore/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pimcore/pimcore/pull/14952
x_refsource_MISC
https://github.com/pimcore/pimcore/commit/7e32cc28145274d...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.