SQL injection in Pimcore - CVE-2022-31092
Published: June 22, 2022 / Updated: June 12, 2026
Pimcore
Detailed vulnerability description
The vulnerability allows a remote attacker to inject arbitrary SQL commands.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in listing classes when processing user-supplied values passed to setOrderBy() or setGroupBy(). A remote attacker can supply crafted column input to inject arbitrary SQL commands.
Exploitation is possible if application code passes untrusted input to these methods while relying on automatic quoting.