CVE-2023-28438
MEDIUMpimcore < 10.5.19 - SQL Injection via Report Endpoint
Title source: llmDescription
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx
Patch, Vendor Advisory x_refsource_misc
https://github.com/pimcore/pimcore/pull/14526
Patch x_refsource_misc
https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch
Scores
CVSS v3
6.2
EPSS
0.0086
EPSS Percentile
54.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (2)
pimcore/pimcore
< 10.5.19
pimcore/pimcore
0 - 10.5.19Packagist
Published
Mar 22, 2023
Tracked Since
Feb 18, 2026