CVE-2024-23646
HIGHPimcore Admin Classic Bundle 1.0.0-1.3.1 - Authenticated SQL Injection via selectedIds Parameter
Title source: llmDescription
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue.
References (5)
Core 5
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-cwx6-4wmf-c6xv
Patch x_refsource_misc
https://github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8
Issue Tracking x_refsource_misc
https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006
Issue Tracking x_refsource_misc
https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087
Release Notes x_refsource_misc
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2
Scores
CVSS v3
8.8
EPSS
0.0076
EPSS Percentile
50.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
pimcore/admin-ui-classic-bundle
1.0.0 - 1.3.2Packagist
pimcore/admin_classic_bundle
1.0.0 - 1.3.2
Published
Jan 24, 2024
Tracked Since
Feb 18, 2026