SQL injection in Pimcore - CVE-2022-31092

 

SQL injection in Pimcore - CVE-2022-31092

Published: June 22, 2022 / Updated: June 12, 2026


Vulnerability identifier: #VU134426
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-31092
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Pimcore
Affected software:
Pimcore

Detailed vulnerability description

The vulnerability allows a remote attacker to inject arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in listing classes when processing user-supplied values passed to setOrderBy() or setGroupBy(). A remote attacker can supply crafted column input to inject arbitrary SQL commands.

Exploitation is possible if application code passes untrusted input to these methods while relying on automatic quoting.


How to mitigate CVE-2022-31092

Install security update from vendor's website.

Sources