Pimcore GmbH

4 exploits Active since Nov 2023
CVE-2023-47637 WRITEUP HIGH WRITEUP
Pimcore < 11.1.1 - SQL Injection
Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 8.8
CVE-2024-21665 WRITEUP MEDIUM WRITEUP
Pimcore E-commerce Framework < 1.0.10 - Improper Access Control
ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned. Access control and permissions are not being enforced. This vulnerability has been patched in version 1.0.10.
CVSS 4.3
CVE-2024-21666 WRITEUP MEDIUM WRITEUP
Pimcore Customer Management Framework - Improper Access Control
The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.
CVSS 6.5
CVE-2025-27617 WRITEUP HIGH WRITEUP
Pimcore < 11.5.4 - SQL Injection
Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.
CVSS 8.8