CVE-2015-4425

pimcore < build 3473 - Authenticated Path Traversal and Arbitrary File Write via Admin Asset Compatibility Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-4425. PoCs published by Portcullis.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in Pimcore CMS, allowing an administrative user with 'assets' permission to overwrite system configuration files via a crafted POST request. The PoC includes a sample request to update the 'system.xml' file, which can lead to arbitrary configuration manipulation.

Description

Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility.

Exploits (1)

exploitdb WORKING POC
by Portcullis · textwebappsxml
https://www.exploit-db.com/exploits/37609

This exploit demonstrates a directory traversal vulnerability in Pimcore CMS, allowing an administrative user with 'assets' permission to overwrite system configuration files via a crafted POST request. The PoC includes a sample request to update the 'system.xml' file, which can lead to arbitrary configuration manipulation.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Pimcore CMS Build 3450
Auth required
Prerequisites: Administrative access with 'assets' permission
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

EPSS 0.0381
EPSS Percentile 88.7%

Details

CWE
CWE-22
Status published
Products (1)
pimcore/pimcore
Published Aug 18, 2015
Tracked Since Feb 18, 2026