CVE-2023-28438

MEDIUM

pimcore < 10.5.19 - SQL Injection via Report Endpoint

Title source: llm
STIX 2.1

Description

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.

References (3)

Core 3

Scores

CVSS v3 6.2
EPSS 0.0086
EPSS Percentile 54.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
pimcore/pimcore < 10.5.19
pimcore/pimcore 0 - 10.5.19Packagist
Published Mar 22, 2023
Tracked Since Feb 18, 2026