15 matches found
CVE-2024-48239
An issue was discovered in WTCMS 1.0. In the plupload method in \AssetController.class.php, the app parameters aren't processed, resulting in Cross Site Scripting XSS...
Cross Site Scripting (XSS)
pimcore/admin-ui-classic-bundle is vulnerable to Cross Site Scripting. The vulnerability is due to the getPreviewDocumentAction function in AssetController.php not having any content validation for PDF files. This allows an attacker to craft a malicious PDF file containing harmful scripts and can...
Path Traversal
pimcore/pimcore is vulnerable to Path Traversal. A path traversal flaw exists in AssetController::importServerFilesAction, which allows an attacker to alter the pimcorelog argument, possibly overwriting or modifying sensitive files. This might also lead to illegal access, privilege escalation, or...
CVE-2023-38708
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog...
Path traversal
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog...
CVE-2023-38708 Pimcore Path Traversal Vulnerability in AssetController:importServerFilesAction
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog...
CVE-2023-38708 Pimcore Path Traversal Vulnerability in AssetController:importServerFilesAction
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog...
CVE-2023-38708
CVE-2023-38708 affects Pimcore (AssetController::importServerFilesAction). A path traversal vulnerability allows an attacker to overwrite/modify sensitive files by manipulating the pimcore_log parameter, potentially causing DoS and enabling unauthorized access, privilege escalation, or data discl...
CVE-2023-38708 Pimcore Path Traversal Vulnerability in AssetController:importServerFilesAction
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog...
Pimcore Path Traversal Vulnerability in AssetController:importServerFilesAction
Impact A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerabilit...
GHSA-34HJ-V8FM-X887 Pimcore Path Traversal Vulnerability in AssetController:importServerFilesAction
Impact A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcorelog parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerabilit...
SQL Injection
pimcore/pimcore is vulnerable to SQL injection. The vulnerability is due to improper sql sanitization in AssetController.php which allows an attacker to inject and execute malicious SQL queries...
GHSA-4X35-VR82-XVJ6 SQL Injection in AssetController
Impact SQL injections in AssetController due to unsanitized concatenating strings in where clause. The attacker can dump database, alter data or perform dos on the backend database. Patches Update to version 10.5.21 or apply this patch manually...
SQL Injection in AssetController
Impact SQL injections in AssetController due to unsanitized concatenating strings in where clause. The attacker can dump database, alter data or perform dos on the backend database. Patches Update to version 10.5.21 or apply this patch manually...
SQL injection in GridHelperService.php
Description In line 786, we can see $conditionFilters = $filterField . ' ' . $operator . ' ' . $value;. The three variables joins to a string, and the variables come from the request parameter.Maybe line 793 is vulnerable too. The code comes from prepareAssetListingForGrid function. The function ...