robertSt7

15 exploits Active since Jan 2023
CVE-2023-0323 WRITEUP MEDIUM WRITEUP
pimcore <10.5.14 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.14.
CVSS 5.4
CVE-2023-2336 WRITEUP MEDIUM WRITEUP
pimcore <10.5.21 - Path Traversal
Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21.
CVSS 6.5
CVE-2023-2339 WRITEUP MEDIUM WRITEUP
pimcore <10.5.21 - XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.
CVSS 5.4
CVE-2023-2340 WRITEUP MEDIUM WRITEUP
pimcore <10.5.21 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVSS 5.4
CVE-2023-2343 WRITEUP MEDIUM WRITEUP
pimcore <10.5.21 - XSS
Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.
CVSS 5.4
CVE-2023-2361 WRITEUP MEDIUM WRITEUP
pimcore <10.5.21 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVSS 5.4
CVE-2023-3819 WRITEUP MEDIUM WRITEUP
pimcore <10.6.4 - Info Disclosure
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4.
CVSS 6.5
CVE-2023-4453 WRITEUP MEDIUM WRITEUP
Pimcore < 10.6.8 - XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8.
CVSS 5.4
CVE-2023-46722 WRITEUP MEDIUM WRITEUP
Pimcore Admin Classic Bundle <1.2.0 - XSS
The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually.
CVSS 6.1
CVE-2023-46722 WRITEUP MEDIUM WRITEUP
Pimcore Admin Classic Bundle <1.2.0 - XSS
The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually.
CVSS 6.1
CVE-2023-47637 WRITEUP HIGH WRITEUP
Pimcore < 11.1.1 - SQL Injection
Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 8.8
CVE-2023-5873 WRITEUP MEDIUM WRITEUP
Pimcore < 11.1.0 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0.
CVSS 5.4
CVE-2024-24822 WRITEUP MEDIUM WRITEUP
Pimcore <1.3.3 - Privilege Escalation
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually.
CVSS 6.5
CVE-2024-41109 WRITEUP MEDIUM WRITEUP
Pimcore Admin Classic Bundle < 1.3.10 - Information Disclosure
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to `/admin/index/statistics` with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system. This vulnerability is fixed in 1.5.2, 1.4.6, and 1.3.10.
CVSS 6.3
CVE-2025-30166 WRITEUP MEDIUM WRITEUP
Pimcore Admin Classic Bundle - XSS
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content. The vulnerability was discovered in the /admin/email/send-test-email endpoint using the POST method. The vulnerable parameter is content, which permits the injection of arbitrary HTML code during the email sending process. While JavaScript code injection is blocked through filtering, HTML code injection remains possible. This vulnerability is fixed in 1.7.6.
CVSS 4.8