JiaJia Ji

21 exploits Active since Mar 2022
CVE-2024-21665 WRITEUP MEDIUM WRITEUP
Pimcore E-Commerce Framework < 1.0.10 - Authenticated Improper Access Control in Admin Order List
ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned. Access control and permissions are not being enforced. This vulnerability has been patched in version 1.0.10.
CVSS 4.3
CVE-2025-27617 WRITEUP HIGH WRITEUP
pimcore < 11.5.4 - Authenticated SQL Injection via Filter String
Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.
CVSS 8.8
CVE-2026-27461 WRITEUP MEDIUM WRITEUP
Pimcore <=11.5.14.1/12.3.2 - SQL Injection
Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch.
CVSS 4.9
CVE-2022-0831 WRITEUP MEDIUM WRITEUP
pimcore < 10.3.3 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.
CVSS 5.4
CVE-2022-0832 WRITEUP MEDIUM WRITEUP
pimcore < 10.3.3 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.
CVSS 5.4
CVE-2023-1704 WRITEUP MEDIUM WRITEUP
pimcore < 10.5.20 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.20.
CVSS 5.4
CVE-2023-23937 WRITEUP HIGH WRITEUP
pimcore < 10.5.16 - Authenticated Unrestricted Upload of File with Dangerous Type via User Profile Update
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain. This issue has been patched in version 10.5.16.
CVSS 8.2
CVE-2023-2730 WRITEUP MEDIUM WRITEUP
pimcore < 10.3.3 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.
CVSS 5.4
CVE-2023-2756 WRITEUP HIGH WRITEUP
pimcore customer_management_framework < 3.3.10 - SQL Injection
SQL Injection in GitHub repository pimcore/customer-data-framework prior to 3.3.10.
CVSS 7.2
CVE-2023-2983 WRITEUP HIGH WRITEUP
pimcore/pimcore <10.5.23 - Privilege Escalation
Privilege Defined With Unsafe Actions in GitHub repository pimcore/pimcore prior to 10.5.23.
CVSS 8.8
CVE-2023-3574 WRITEUP MEDIUM WRITEUP
pimcore/customer-data-framework <3.4.1 - Info Disclosure
Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1.
CVSS 6.5
CVE-2023-3673 WRITEUP HIGH WRITEUP
pimcore < 10.5.24 - SQL Injection
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24.
CVSS 7.2
CVE-2023-3820 WRITEUP HIGH WRITEUP
pimcore < 10.6.4 - SQL Injection
SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4.
CVSS 7.2
CVE-2023-42817 WRITEUP MEDIUM WRITEUP
Pimcore admin-ui-classic-bundle < 1.1.2 - Cross-Site Scripting via Translation String Parsing
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. This issue has been patched in commit `abd77392` which is included in release 1.1.2. Users are advised to update to version 1.1.2 or apply the patch manually.
CVSS 5.4
CVE-2023-5844 WRITEUP HIGH WRITEUP
pimcore admin_classic_bundle < 1.1.4 and admin-ui-classic-bundle < 1.2.0-RC1 - Unverified Password Change
Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.
CVSS 7.2
CVE-2024-21667 WRITEUP MEDIUM WRITEUP
pimcore customer_management_framework < 4.0.6 - Authenticated Improper Access Control in GDPR Data Extraction
pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. This vulnerability has been patched in version 4.0.6.
CVSS 6.5
CVE-2024-25625 WRITEUP HIGH WRITEUP
Pimcore <1.3.4 - Host Header Injection
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input. The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker's domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application's domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent.
CVSS 8.1
CVE-2025-24980 WRITEUP MEDIUM WRITEUP
pimcore/admin-ui-classic-bundle < 1.7.4 - User Enumeration via Forgot Password Error Message
pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 5.3
CVE-2026-23493 WRITEUP HIGH WRITEUP
Pimcore <12.3.1-11.5.14 - Info Disclosure
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
CVSS 8.6
CVE-2026-23495 WRITEUP MEDIUM WRITEUP
Pimcore <2.2.3-1.7.16 - Info Disclosure
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.
CVSS 4.3
CVE-2026-23496 WRITEUP MEDIUM WRITEUP
Pimcore Web2Print Tools Bundle <6.1.1 - Privilege Escalation
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.
CVSS 5.4