Lucene search

K
cve[email protected]CVE-2024-23646
HistoryJan 24, 2024 - 8:15 p.m.

CVE-2024-23646

2024-01-2420:15:53
CWE-89
web.nvd.nist.gov
14
pimcore
admin classic bundle
sql injection
vulnerability
cve-2024-23646
nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.3%

Pimcore’s Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter selectedIds is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue.

Affected configurations

Vulners
NVD
Node
pimcoreadmin_classic_bundleRange1.0.01.3.2
VendorProductVersionCPE
pimcoreadmin_classic_bundle*cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "pimcore",
    "product": "admin-ui-classic-bundle",
    "versions": [
      {
        "version": ">= 1.0.0, < 1.3.2",
        "status": "affected"
      }
    ]
  }
]

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.3%

Related for CVE-2024-23646