EUVD-2021-1981

Malware in sbrugna...

EUVD-2014-6436

Malware in sbrugna...

EUVD-2023-1138

Malicious code in bioql PyPI...

CVE-2023-30849

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually...

CVE-2024-49370 Change-Password via Portal-Profile sets PimcoreBackendUser password without hashing

Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password. Prior to Pimcore portal engine versions 4.1.7 and 3.1.1...

CVE-2024-32871 Pimcore Vulnerable to Flooding Server with Thumbnail files

Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the...

CVE-2024-29197

CVE-2024-29197 affects Pimcore (Open Source Data & Experience Management Platform). The issue allows viewing unpublished sites when the query parameter ?pimcore_preview=true is used, due to previews no longer being properly access-controlled. This could let an unauthenticated user access potentia...

CVE-2023-47637

Pimcore contains a SQL injection in the Admin Grid Filter API. In affected versions, the /admin/object/grid-proxy endpoint calls getFilterCondition() on class fields to build SQL from user input, and Multiselect’s implementation does not normalize/escape/validate that input. This allows any backe...

CVE-2023-47637 SQL Injection in Admin Grid Filter API in Pimcore

Pimcore is an Open Source Data & Experience Management Platform. In affected versions the /admin/object/grid-proxy endpoint calls getFilterCondition on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of getFilterConditi...

CVE-2023-30855

Pimcore Path Traversal (CVE-2023-30855) affects Pimcore versions before 10.5.18, specifically in AdminBundle/Controller/Reports/CustomReportController.php. The vulnerability allows path traversal and arbitrary file creation/append operations; when combined with SQL Injection, it can expose or rea...

CVE-2023-30852

Pimcore prior to 10.5.21 exposes an Arbitrary File Read via the authenticated admin endpoint /admin/misc/script-proxy. The vulnerability stems from improper sanitization of the scriptPath parameter, enabling path traversal with multiple ../ patterns to read JavaScript/CSS files from the server wh...

CVE-2023-30852 Pimcore Arbitrary File Read in Admin JS CSS files

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the /admin/misc/script-proxy API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the scriptPath and scripts parameters. The...

CVE-2023-30848

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually...

Sql injection

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually...

CVE-2023-30850

CVE-2023-30850 affects Pimcore prior to 10.5.21, where the admin translations API is vulnerable to SQL injection. The issue arises in the API endpoint that accepts a JSON-encoded filter parameter (not sanitized properly), enabling an attacker with admin access to inject SQL. A patch is available ...

CVE-2023-30849

Pimcore

CVE-2023-28106

PIMCORE CVE-2023-28106 affects Pimcore prior to version 10.5.19, where Cross-site Scripting (XSS) can be triggered via the UrlSlug Data type. The vulnerability is addressed by upgrading to version 10.5.19 or applying the patch referenced in the sources (patch: 14669). Several connected sources co...

CVE-2023-23937

CVE-2023-23937 affects Pimcore/pimcore. The issue is in the upload functionality for updating a user profile, where content-type validation is insufficient, allowing an authenticated user to bypass checks by supplying a valid signature (e.g., GIF89) and sending mismatched content-type. This can e...

CVE-2022-39365

CVE-2022-39365 concerns Pimcore before version 10.5.9, where user-controlled twig templates rendered in Pimcore/Mail and ClassDefinition\Layout\Text enable server-side template injection, potentially allowing remote code execution. The issue is fixed in Pimcore 10.5.9; a patch exists (or can be a...

CVE-2022-39365 RCE vulnerability in Pimcore/Mail & Dynamic Text Layout

Pimcore is an open source data and experience management platform. Prior to version 10.5.9, the user controlled twig templates rendering in Pimcore/Mail & ClassDefinition\Layout\Text is vulnerable to server-side template injection, which could lead to remote code execution. Version 10.5.9 contain...