Multiple vulnerabilities in Pimcore
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 21 |
| CVE-ID | CVE-2023-2323 CVE-2023-2327 CVE-2023-2328 CVE-2023-2332 CVE-2023-2322 CVE-2023-2338 CVE-2023-2336 CVE-2023-30850 CVE-2023-2340 CVE-2023-2339 CVE-2023-30848 CVE-2023-2342 CVE-2023-2343 CVE-2023-30852 CVE-2023-2361 CVE-2023-30849 CVE-2023-2341 CVE-2023-2615 CVE-2023-2616 CVE-2023-2630 CVE-2023-2614 |
| CWE-ID | CWE-79 CWE-89 CWE-22 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #10 is available. Public exploit code for vulnerability #12 is available. Public exploit code for vulnerability #13 is available. Public exploit code for vulnerability #15 is available. Public exploit code for vulnerability #17 is available. Public exploit code for vulnerability #18 is available. Public exploit code for vulnerability #19 is available. Public exploit code for vulnerability #20 is available. Public exploit code for vulnerability #21 is available. |
| Vulnerable software |
Pimcore Web applications / CMS |
| Vendor | Pimcore |
Security Bulletin
This security bulletin contains information about 21 vulnerabilities.
Updated 28.04.2023
Added vulnerabilities #8-17
Updated 11.05.2023
Added vulnerabilities #18-21
1) Cross-site scripting
EUVDB-ID: #VU75548
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-2323
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Ecommerce Pricing Rules name field. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/security/advisories/GHSA-cjv6-w5hf-5wr6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU75552
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-2327
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObject Class date fields. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/security/advisories/GHSA-x9xj-pqmv-8jf7
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cross-site scripting
EUVDB-ID: #VU75551
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-2328
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObjects QuantityValue Unit Definition. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/security/advisories/GHSA-2295-vh28-pphc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site scripting
EUVDB-ID: #VU75550
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-2332
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Conditions tab of Pricing Rules. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/security/advisories/GHSA-r7mm-jx6h-hv7m
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site scripting
EUVDB-ID: #VU75549
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-2322
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Document Properties Parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/security/advisories/GHSA-476g-v7hf-cw5m
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) SQL injection
EUVDB-ID: #VU75553
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-2338
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in AssetController. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/security/advisories/GHSA-4x35-vr82-xvj6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Path traversal
EUVDB-ID: #VU75554
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-2336
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Asset "import from server" option. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/security/advisories/GHSA-hg77-vx9v-f49x
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) SQL injection
EUVDB-ID: #VU75573
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-30850
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Translations API. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall update from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/pull/14952
https://github.com/pimcore/pimcore/security/advisories/GHSA-jwg4-qcgv-5wg6
https://github.com/pimcore/pimcore/commit/7e32cc28145274ddfc30fb791012d26c1278bd38.patch
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Stored cross-site scripting
EUVDB-ID: #VU75566
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2340
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObject columns grid. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/aa38319e353cc3cdfac12e03e21ed7a8f3628d3e
https://huntr.dev/bounties/964762b0-b4fe-441c-81e1-0ebdbbf80f3b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Stored cross-site scripting
EUVDB-ID: #VU75565
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2339
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObject Any Getter grid operator. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://huntr.dev/bounties/bb1537a5-fe7b-4c77-a582-10a82435fbc2
https://github.com/pimcore/pimcore/commit/6946f8a5a0a93b516c49f17a5b45044eebd73480
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) SQL injection
EUVDB-ID: #VU75571
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-30848
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Search Find API. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall update from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/pull/14972
https://github.com/pimcore/pimcore/security/advisories/GHSA-6mhm-gcpf-5gr8
https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3.patch
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Cross-site scripting
EUVDB-ID: #VU75569
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2342
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Website Settings name field. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://huntr.dev/bounties/01cd3ed5-dce8-4021-9de0-81cb14bf1829
https://github.com/pimcore/pimcore/commit/42a5bbe5f16b97371fdbfdcf2bb3ee759dea8564
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
13) Cross-site scripting
EUVDB-ID: #VU75570
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2343
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObject Classification Store. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/f1d904094700b513c4756904fa2b1e19d08d890e
https://huntr.dev/bounties/2fa17227-a717-4b66-ab5a-16bffbb4edb2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
14) Path traversal
EUVDB-ID: #VU75576
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-30852
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Admin JS CSS files within the "scriptPath" parameter. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch
https://github.com/pimcore/pimcore/pull/14959
https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Stored cross-site scripting
EUVDB-ID: #VU75577
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2361
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/security/advisories/GHSA-9xg6-75mh-7x3f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
16) SQL injection
EUVDB-ID: #VU75572
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-30849
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Translations Export API. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall update from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/pull/14968
https://github.com/pimcore/pimcore/commit/c6c80905e58c7724c776f980570a56df7016c6d1.patch
https://github.com/pimcore/pimcore/security/advisories/GHSA-xmg8-w465-mr56
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Cross-site scripting
EUVDB-ID: #VU75567
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2341
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Login too many attempts notice. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11
https://huntr.dev/bounties/cf3901ac-a649-478f-ab08-094ef759c11d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
18) Stored cross-site scripting
EUVDB-ID: #VU76008
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2615
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Predefined Properties delete. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://huntr.dev/bounties/af9c360a-87f8-4e97-a24b-6db675ee942a
https://github.com/pimcore/pimcore/commit/7a799399e6843cd049e85da27ceb75b78505317f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
19) Stored cross-site scripting
EUVDB-ID: #VU76010
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2616
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Static Routes name field. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091
https://huntr.dev/bounties/564cb512-2bcc-4458-8c20-88110ab45801
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
20) Cross-site scripting
EUVDB-ID: #VU76007
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2630
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Translations. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/7e32cc28145274ddfc30fb791012d26c1278bd38
https://huntr.dev/bounties/e1001870-b8d8-4921-8b9c-bbdfb1a1491e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
21) Stored cross-site scripting
EUVDB-ID: #VU76009
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-2614
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in name field of Custom Reports. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 10.5.0 - 10.5.20
CPE2.3- cpe:2.3:a:pimcore:pimcore:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:10.5.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/c36ef54ce33f7b5e74b7b0ab9eabfed47c018fc7
https://huntr.dev/bounties/1a5e6c65-2c5e-4617-9411-5b47a7e743a6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
