CVE-2024-11956

MEDIUM

Pimcore < 4.2.1 - SQL Injection via Customer List Filter Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-11956. PoCs published by maeitsec.

AI-analyzed exploit summary This exploit demonstrates an SQL injection vulnerability in Pimcore's customer-data-framework, allowing authenticated users to download restricted files via the 'downloadAsZip' functionality. The PoC authenticates with low-privilege credentials and exploits the endpoint to retrieve unauthorized files.

Description

A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component.

Exploits (1)

exploitdb WORKING POC

by maeitsec · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52193

View Code ZIP pw:eip

This exploit demonstrates an SQL injection vulnerability in Pimcore's customer-data-framework, allowing authenticated users to download restricted files via the 'downloadAsZip' functionality. The PoC authenticates with low-privilege credentials and exploits the endpoint to retrieve unauthorized files.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Pimcore versions prior to 10.5.21

Auth required

Prerequisites: Valid low-privilege credentials · Access to the Pimcore admin interface

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.293906

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.293906

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.451863

Exploit, Vendor Advisory exploit

https://github.com/pimcore/pimcore/security/advisories/GHSA-q53r-9hh9-w277

Release Notes patch

https://github.com/pimcore/customer-data-framework/releases/tag/v4.2.1

Scores

CVSS v3 4.7

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-89

Status published

Products (2)

pimcore/customer-management-framework-bundle 0 - 4.2.1Packagist

pimcore/pimcore < 4.2.1

Published Jan 28, 2025

Tracked Since Feb 18, 2026