#VU78934 Path traversal in Pimcore - CVE-2023-38708

Cybersecurity Help s.r.o.

Published: 2023-08-04

Vulnerability identifier: #VU78934

Vulnerability risk: High

CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-38708

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pimcore
Web applications / CMS

Vendor: Pimcore

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in AssetController:importServerFilesAction. A remote attacker can send a specially crafted HTTP request and overwrite or modify arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Pimcore: 10.6.0 - 10.6.6

External links
https://github.com/pimcore/pimcore/security/advisories/GHSA-34hj-v8fm-x887
https://github.com/pimcore/pimcore/commit/58012d0e3b8b926fb54eccbd64ec5c993b30c22c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Path traversal in Pimcore