Pimcore Security Vulnerabilities

CVE-2024-29197

Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument ?pimcore_preview=true allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer.....

CVE-2023-47637

Pimcore is an Open Source Data & Experience Management Platform. In affected versions the /admin/object/grid-proxy endpoint calls getFilterCondition() on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of...

CVE-2023-5873

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-5844

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to...

CVE-2023-5192

Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to...

CVE-2023-4453

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to...

CVE-2023-38708

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log...

CVE-2023-4145

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to...

CVE-2023-3820

SQL Injection in GitHub repository pimcore/pimcore prior to...

CVE-2023-3822

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to...

CVE-2023-3821

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-3819

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to...

CVE-2023-3673

SQL Injection in GitHub repository pimcore/pimcore prior to...

CVE-2023-3574

Improper Authorization in GitHub repository pimcore/customer-data-framework prior to...

CVE-2023-2983

Privilege Defined With Unsafe Actions in GitHub repository pimcore/pimcore prior to...

CVE-2023-2984

Path Traversal: '..\filename' in GitHub repository pimcore/pimcore prior to...

CVE-2023-2881

Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to...

CVE-2023-2756

SQL Injection in GitHub repository pimcore/customer-data-framework prior to...

CVE-2023-2730

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-2630

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-2629

Improper Neutralization of Formula Elements in a CSV File in GitHub repository pimcore/customer-data-framework prior to...

CVE-2023-2615

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to...

CVE-2023-2614

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to...

CVE-2023-2616

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to...

CVE-2023-30855

Pimcore is an open source data and experience management platform. Versions of Pimcore prior to 10.5.18 are vulnerable to path traversal. The impact of this path traversal and arbitrary extension is limited to creation of arbitrary files and appending data to existing files. When combined with the....

CVE-2023-2361

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-30850

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, a SQL Injection vulnerability exists in the admin translations API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch...

CVE-2023-30852

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the /admin/misc/script-proxy API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the scriptPath and scripts parameters. The...

CVE-2023-30849

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch...

CVE-2023-30848

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch...

CVE-2023-2343

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to...

CVE-2023-2342

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to...

CVE-2023-2341

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to...

CVE-2023-2340

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-2339

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to...

CVE-2023-2338

SQL Injection in GitHub repository pimcore/pimcore prior to...

CVE-2023-2336

Path Traversal in GitHub repository pimcore/pimcore prior to...

CVE-2023-2328

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to...

CVE-2023-2327

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-2323

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-2322

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-1703

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to...

CVE-2023-1702

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to...

CVE-2023-1701

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to...

CVE-2023-1704

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...

CVE-2023-28438

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query...

CVE-2023-1578

SQL Injection in GitHub repository pimcore/pimcore prior to...

CVE-2023-1517

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to...

CVE-2023-28429

Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie...

CVE-2023-1515

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to...