Bernhard Rusch

24 exploits Active since Apr 2019
CVE-2019-10867 WRITEUP HIGH WRITEUP
pimcore < 5.7.1 - Authenticated Remote Code Execution via Unserialize in Bulk-Commit Endpoint
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.
CVSS 8.8
CVE-2021-23340 WRITEUP HIGH WRITEUP
pimcore <6.8.8 - Local File Inclusion
This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this function with a GET request at the following endpoint: /admin/reports/custom-report/download-csv?exportFile=&91;filename]. Since exportFile variable is not sanitized, an attacker can exploit a local file inclusion vulnerability.
CVSS 7.1
CVE-2019-16317 WRITEUP HIGH WRITEUP
pimcore < 5.7.1 - Authenticated Remote Code Execution via PHAR Deserialization
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.
CVSS 8.8
CVE-2019-16318 WRITEUP HIGH WRITEUP
pimcore < 5.7.1 - Authenticated Unrestricted File Upload via Long Filename Bypass
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVSS 8.8
CVE-2019-18656 WRITEUP MEDIUM WRITEUP
pimcore < 6.3.0 - Stored Cross-Site Scripting in Translations Grid
Pimcore 6.2.3 has XSS in the translations grid because bundles/AdminBundle/Resources/public/js/pimcore/settings/translations.js mishandles certain HTML elements.
CVSS 6.1
CVE-2019-18981 WRITEUP CRITICAL WRITEUP
pimcore < 6.2.2 - Inappropriate Encoding for Output Context
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVSS 9.8
CVE-2019-18982 WRITEUP MEDIUM WRITEUP
Pimcore < 6.3.0 - Cross-Site Scripting in Email Log Preview Window
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
CVSS 6.1
CVE-2019-18985 WRITEUP CRITICAL WRITEUP
pimcore < 6.2.2 - Unauthenticated Excessive Authentication Attempts
Pimcore before 6.2.2 lacks brute force protection for the 2FA token.
CVSS 9.8
CVE-2019-18986 WRITEUP HIGH WRITEUP
pimcore < 6.2.2 - Username Enumeration via Forgot Password Distinct Error Messages
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVSS 7.5
CVE-2021-4146 WRITEUP MEDIUM WRITEUP
pimcore < 10.2.6 - Business Logic Errors
Business Logic Errors in GitHub repository pimcore/pimcore prior to 10.2.6.
CVSS 4.3
CVE-2022-0256 WRITEUP MEDIUM WRITEUP
pimcore < 10.2.8 and 10.2.9 - Cross-Site Scripting
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 5.4
CVE-2022-0257 WRITEUP MEDIUM WRITEUP
pimcore < 10.2.8 and >=0 < 10.2.9 - Cross-Site Scripting
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 5.4
CVE-2022-0258 WRITEUP HIGH WRITEUP
pimcore < 10.2.8 and 10.2.9 - SQL Injection
pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
CVSS 8.8
CVE-2022-0260 WRITEUP MEDIUM WRITEUP
pimcore < 10.2.7 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7.
CVSS 5.4
CVE-2022-0262 WRITEUP MEDIUM WRITEUP
Packagist pimcore/pimcore <10.2.7 - XSS
Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.7.
CVSS 6.1
CVE-2022-0263 WRITEUP HIGH WRITEUP
Packagist pimcore/pimcore <10.2.7 - File Injection
Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7.
CVSS 7.8
CVE-2022-0704 WRITEUP MEDIUM WRITEUP
GitHub pimcore/pimcore <10.4.0 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.
CVSS 5.4
CVE-2022-0705 WRITEUP MEDIUM WRITEUP
GitHub pimcore/pimcore <10.4.0 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.
CVSS 5.4
CVE-2022-0893 WRITEUP MEDIUM WRITEUP
pimcore < 10.3.0 and 10.4.0 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.
CVSS 5.4
CVE-2022-0894 WRITEUP MEDIUM WRITEUP
pimcore < 10.3.0 and 10.3.0-10.4.0 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.
CVSS 5.4
CVE-2022-0911 WRITEUP MEDIUM WRITEUP
pimcore < 10.3.0 and 10.3.0-10.4.0 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.
CVSS 5.4
CVE-2022-31092 WRITEUP HIGH WRITEUP
pimcore < 10.4.4 - SQL Injection via Listing Class Order/Group Methods
Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the listing classes. This issue has been resolved in version 10.4.4. Users are advised to upgrade or to apple the patch manually. There are no known workarounds for this issue.
CVSS 7.5
CVE-2023-1578 WRITEUP HIGH WRITEUP
pimcore < 10.5.19 - SQL Injection
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19.
CVSS 8.8
CVE-2024-23648 WRITEUP HIGH WRITEUP
Pimcore Admin Classic Bundle < 1.2.3 - Account Takeover via Host Header Injection in Password Reset
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the "Host" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a "Host" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue.
CVSS 8.8