pimcore is vulnerable to a Local FIle Inclusion. The vulnerability exists due to lack of sanitization of exportFile variable in the downloadCsvAction
function of the CustomReportController class, allowing an authenticated user to reach this function with a GET request at the following endpoint: /admin/reports/custom-report/download-csv?exportFile=&91;filename].