Lucene search

[email protected]NVD:CVE-2023-28438

HistoryMar 22, 2023 - 9:15 p.m.

CVE-2023-28438

2023-03-2221:15:18

CWE-89

[email protected]

web.nvd.nist.gov

pimcore data management cve-2023-28438 sql injection upgrade patch workaround manipulation

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

51.0%

JSON

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with ‘report’ permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.

Affected configurations

Nvd

Node

pimcorepimcoreRange<10.5.19

VendorProductVersionCPE
pimcorepimcore*cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pimcore	pimcore	*	cpe:2.3:a:pimcore:pimcore::::::::

References

github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch

github.com/pimcore/pimcore/pull/14526

github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

51.0%

JSON

Related for NVD:CVE-2023-28438

github1 osv2 cvelist1 cve1 veracode1 prion1 thn1