Pimcore GmbH

5 exploits Active since Nov 2023
CVE-2024-21667 WRITEUP MEDIUM WRITEUP
pimcore customer_management_framework < 4.0.6 - Authenticated Improper Access Control in GDPR Data Extraction
pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. This vulnerability has been patched in version 4.0.6.
CVSS 6.5
CVE-2023-47637 WRITEUP HIGH WRITEUP
pimcore < 11.1.1 - Authenticated SQL Injection via Grid Proxy Endpoint
Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 8.8
CVE-2024-21665 WRITEUP MEDIUM WRITEUP
Pimcore E-Commerce Framework < 1.0.10 - Authenticated Improper Access Control in Admin Order List
ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned. Access control and permissions are not being enforced. This vulnerability has been patched in version 1.0.10.
CVSS 4.3
CVE-2024-21666 WRITEUP MEDIUM WRITEUP
pimcore customer_management_framework < 4.0.6 - Authenticated Improper Access Control in Duplicates Endpoint
The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.
CVSS 6.5
CVE-2025-27617 WRITEUP HIGH WRITEUP
pimcore < 11.5.4 - Authenticated SQL Injection via Filter String
Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.
CVSS 8.8