4 matches found
CVE-2023-28438
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method no CSRF protection, an attacker can inject an arbitrary query by...
CVE-2023-28438
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method no CSRF protection, an attacker can inject an arbitrary query by...
CVE-2023-28438
PIMCORE CVE-2023-28438 affects Pimcore prior to version 10.5.19. A user with 'report' permission can trigger arbitrary SQL via a GET endpoint with no CSRF protection; combined path traversal and SQL injection allow creation of arbitrary files and, with the SQL injection, potential webshell or PHP...
CVE-2023-28438 Pimcore vulnerable to improper quoting of filters in Custom Reports
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method no CSRF protection, an attacker can inject an arbitrary query by...