CVE-2018-14058

MEDIUM

pimcore < 5.3.0 - SQL Injection via REST Web Service API

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-14058. PoCs published by SEC Consult, Thongchai Silpavarangkura, N. Rai-Ngoen, Shelby Pace, including Metasploit module auxiliary/gather/pimcore_creds_sqli.

AI-analyzed exploit summary This is a security advisory detailing SQL injection, XSS, and CSRF vulnerabilities in Pimcore versions 5.2.3 and below. It includes proof-of-concept URLs and descriptions of the vulnerabilities but does not contain executable exploit code.

Description

Pimcore before 5.3.0 allows SQL Injection via the REST web service API.

Exploits (2)

exploitdb WRITEUP

by SEC Consult · textwebappsphp

https://www.exploit-db.com/exploits/45208

View Code ZIP pw:eip

This is a security advisory detailing SQL injection, XSS, and CSRF vulnerabilities in Pimcore versions 5.2.3 and below. It includes proof-of-concept URLs and descriptions of the vulnerabilities but does not contain executable exploit code.

Classification

Writeup 100%

Attack Type

Sqli | Xss | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Pimcore 5.2.3 and below

Auth required

Prerequisites: Valid API key for SQLi · Authenticated user for XSS and CSRF

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by Thongchai Silpavarangkura, N. Rai-Ngoen, Shelby Pace · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/pimcore_creds_sqli.rb

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability in Pimcore's REST API to extract usernames and hashed passwords. It uses a UNION-based SQLi to retrieve credentials from the users table.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Pimcore (versions affected by CVE-2018-14058)

Auth required

Prerequisites: Valid API key for Pimcore REST API · Access to the Pimcore web service

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Aug/13

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/148954/Pimcore-5.2.3-CSRF-Cross-Site-Scripting-SQL-Injection.html

Exploit, Third Party Advisory x_refsource_misc

https://www.sec-consult.com/en/blog/advisories/sql-injection-xss-csrf-vulnerabilities-in-pimcore-software/

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45208/

Scores

CVSS v3 6.5

EPSS 0.0151

EPSS Percentile 81.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-89

Status published

Products (2)

pimcore/pimcore < 5.3.0

pimcore/pimcore 0 - 5.3.0Packagist

Published Aug 17, 2018

Tracked Since Feb 18, 2026