Pimcore Security Vulnerabilities and Issues — Pimcore CVE List

Lucene search

PimcorePimcore

120 matches found

CVE•added 2022/02/22 3:15 p.m.•2327 views

CVE-2022-0665

Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2.

6.5CVSS5.6AI score0.00013EPSS

CVE•added 2019/11/15 5:15 a.m.•166 views

CVE-2019-18986

Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.

7.5CVSS7.6AI score0.00009EPSS

CVE•added 2019/11/15 5:15 a.m.•164 views

CVE-2019-18982

bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.

6.1CVSS6.2AI score0.00006EPSS

CVE•added 2019/11/15 5:15 a.m.•163 views

CVE-2019-18981

Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.

9.8CVSS9.4AI score0.0001EPSS

CVE•added 2019/11/15 5:15 a.m.•160 views

CVE-2019-18985

Pimcore before 6.2.2 lacks brute force protection for the 2FA token.

9.8CVSS9.4AI score0.00008EPSS

CVE•added 2023/05/10 4:15 p.m.•146 views

CVE-2023-2630

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.7CVSS4.9AI score0.00002EPSS

CVE•added 2023/05/10 5:15 a.m.•134 views

CVE-2023-2616

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

6.8CVSS5.4AI score0.00003EPSS

CVE•added 2019/11/18 8:15 p.m.•127 views

CVE-2019-10763

pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attacker with limited privileges (classes permission) can achieve a SQL injection that can lead in data leakage. The vulnerability can be exploited via 'id', 'storeId', 'pageSize' and 'tables' parameters, using a payload for trigger a ...

6.5CVSS6.8AI score0.00009EPSS

CVE•added 2022/03/15 11:15 a.m.•127 views

CVE-2022-0894

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

8.2CVSS5.6AI score0.0001EPSS

CVE•added 2022/03/15 11:15 a.m.•114 views

CVE-2022-0893

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

6.8CVSS5.3AI score0.00014EPSS

CVE•added 2023/05/10 6:15 a.m.•112 views

CVE-2023-2614

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.

6.8CVSS5.4AI score0.00003EPSS

CVE•added 2022/02/14 12:15 p.m.•108 views

CVE-2022-0565

Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1.

7.6CVSS6.5AI score0.00044EPSS

CVE•added 2022/03/04 2:15 p.m.•107 views

CVE-2022-0831

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.

5.4CVSS4.8AI score0.00126EPSS

CVE•added 2022/04/08 9:15 a.m.•98 views

CVE-2022-1219

SQL injection in RecyclebinController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data

7.5CVSS7.5AI score0.00175EPSS

CVE•added 2023/03/20 4:15 p.m.•97 views

CVE-2023-1517

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19.

4.8CVSS4.5AI score0.00002EPSS

CVE•added 2022/03/04 2:15 p.m.•96 views

CVE-2022-0832

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.

5.4CVSS4.8AI score0.00847EPSS

CVE•added 2022/03/16 10:15 a.m.•93 views

CVE-2022-0704

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

5.4CVSS4.6AI score0.00028EPSS

CVE•added 2019/04/04 6:29 p.m.•91 views

CVE-2019-10867

An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataO...

8.8CVSS8.3AI score0.53534EPSS

Web

CVE•added 2022/04/13 10:15 a.m.•90 views

CVE-2022-1339

SQL injection in ElementController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data

8.8CVSS8AI score0.00047EPSS

CVE•added 2024/11/15 11:15 a.m.•89 views

CVE-2023-2332

A stored Cross-site Scripting (XSS) vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.19. The vulnerability is present in the From and To fields of the Date Range section, allowing an attacker to inject malicious scripts. This can lead to the execution of ...

4.8CVSS4.1AI score0.00002EPSS

CVE•added 2022/03/16 11:15 a.m.•88 views

CVE-2022-0705

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

5.4CVSS4.6AI score0.00008EPSS

CVE•added 2022/04/22 9:15 a.m.•88 views

CVE-2022-1429

SQL injection in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6. This vulnerability is capable of steal the data

7.5CVSS7.5AI score0.00594EPSS

CVE•added 2022/03/16 9:15 a.m.•87 views

CVE-2022-0911

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

6.8CVSS5.3AI score0.00014EPSS

CVE•added 2022/04/14 10:15 a.m.•85 views

CVE-2022-1351

Stored XSS in Tooltip in GitHub repository pimcore/pimcore prior to 10.4.

6.8CVSS5.3AI score0.00024EPSS

CVE•added 2023/05/08 6:15 p.m.•82 views

CVE-2023-30855

Pimcore is an open source data and experience management platform. Versions of Pimcore prior to 10.5.18 are vulnerable to path traversal. The impact of this path traversal and arbitrary extension is limited to creation of arbitrary files and appending data to existing files. When combined with the ...

7.5CVSS7.4AI score0.00002EPSS

CVE•added 2019/09/14 6:15 p.m.•79 views

CVE-2019-16317

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerab...

8.8CVSS8.4AI score0.53534EPSS

Web

CVE•added 2023/10/31 9:15 a.m.•77 views

CVE-2023-5873

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0.

5.4CVSS4.6AI score0.00004EPSS

CVE•added 2022/06/27 10:15 p.m.•74 views

CVE-2022-31092

Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is ...

8.1CVSS7.9AI score0.00025EPSS

CVE•added 2021/02/18 3:15 p.m.•73 views

CVE-2021-23340

This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this function with a GET requ...

7.1CVSS6.7AI score0.00022EPSS

Web

CVE•added 2022/10/27 3:15 p.m.•73 views

CVE-2022-39365

Pimcore is an open source data and experience management platform. Prior to version 10.5.9, the user controlled twig templates rendering in Pimcore/Mail & ClassDefinition\Layout\Text is vulnerable to server-side template injection, which could lead to remote code execution. Version 10.5.9 contains ...

9.8CVSS9.7AI score0.00051EPSS

CVE•added 2022/02/08 3:15 p.m.•71 views

CVE-2022-0510

Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore prior to 10.3.1.

5.4CVSS4.6AI score0.00033EPSS

CVE•added 2022/01/26 11:15 a.m.•69 views

CVE-2022-0251

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.10.

8.1CVSS5.5AI score0.00012EPSS

CVE•added 2023/03/10 11:15 a.m.•69 views

CVE-2023-1312

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19.

5.2CVSS4.9AI score0.00005EPSS

CVE•added 2019/09/14 6:15 p.m.•68 views

CVE-2019-16318

In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.

8.8CVSS8.4AI score0.53534EPSS

CVE•added 2021/09/01 2:15 p.m.•68 views

CVE-2021-39170

Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch manually.

8CVSS5.6AI score0.00013EPSS

CVE•added 2018/08/17 6:29 p.m.•67 views

CVE-2018-14057

Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.

8.8CVSS8.6AI score0.00011EPSS

CVE•added 2023/02/03 8:15 p.m.•66 views

CVE-2023-23937

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce.The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signat...

8.2CVSS6.2AI score0.00003EPSS

CVE•added 2022/02/08 12:15 p.m.•65 views

CVE-2022-0509

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.3.1.

6.6CVSS5.3AI score0.00044EPSS

CVE•added 2021/12/21 1:15 p.m.•64 views

CVE-2021-4139

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

9CVSS7.7AI score0.00023EPSS

CVE•added 2023/03/16 12:15 p.m.•63 views

CVE-2023-1429

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19.

5.4CVSS4.7AI score0.00002EPSS

CVE•added 2023/02/13 9:15 p.m.•63 views

CVE-2023-25240

An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code.

8.8CVSS8.9AI score0.00003EPSS

CVE•added 2022/09/21 1:15 p.m.•62 views

CVE-2022-3255

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify a...

6.8CVSS5AI score0.00002EPSS

CVE•added 2021/09/15 2:15 p.m.•61 views

CVE-2021-39189

Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate usernames via the forgot password functionality. This issue is fixed in version 10.1.3. As a workaround, one may apply the available patch manually.

5.3CVSS5AI score0.0001EPSS

CVE•added 2022/01/27 2:15 p.m.•61 views

CVE-2022-0348

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.

5.4CVSS4.6AI score0.00023EPSS

CVE•added 2022/09/15 2:15 p.m.•61 views

CVE-2022-3211

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.6.

5.8CVSS5.2AI score0.00004EPSS

CVE•added 2023/03/09 11:15 a.m.•61 views

CVE-2023-1286

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.

4.8CVSS4.8AI score0.00002EPSS

CVE•added 2022/01/17 4:15 p.m.•60 views

CVE-2022-0256

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4CVSS5.2AI score0.0001EPSS

CVE•added 2022/01/17 4:15 p.m.•60 views

CVE-2022-0257

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1CVSS5.5AI score0.00017EPSS

CVE•added 2023/03/29 4:15 p.m.•60 views

CVE-2023-1704

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.20.

5.4CVSS5.1AI score0.00002EPSS

CVE•added 2023/05/30 3:15 p.m.•60 views

CVE-2023-2984

Path Traversal: '..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22.

8.8CVSS7.3AI score0.00005EPSS

Total number of security vulnerabilities120