SQL Injection in Admin Grid Filter API in Pimcore
CVE-2023-47637
8.8HIGH
What is CVE-2023-47637?
The Pimcore Open Source Data & Experience Management Platform is vulnerable to SQL injection through the /admin/object/grid-proxy endpoint. This vulnerability arises when the getFilterCondition() method processes unsanitized input, permitting malicious users with basic permissions to execute arbitrary SQL queries. This flaw could lead to unauthorized data modifications or privilege escalations to admin-level access. Users are strongly encouraged to upgrade to version 11.1.1 to mitigate risks associated with this vulnerability. No workarounds are available.
Affected Version(s)
pimcore < 11.1.1