cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-32871,https://securityvulnerability.io/vulnerability/CVE-2024-32871,Pimcore Thumbnail Generation Vulnerability,"The Pimcore Data & Experience Management Platform has a vulnerability in its thumbnail generation functionality that can be exploited to flood the server with large files. By manipulating the file extension or the scaling factor of requested thumbnails, attackers can produce files that exceed the original file size significantly. This situation may lead to resource exhaustion on the server, potentially impacting the availability of the service. The issue has been addressed in version 11.2.4, emphasizing the importance of upgrading to mitigate this risk.",Pimcore,Pimcore,7.5,HIGH,0.0005600000149570405,false,,false,false,false,,,false,false,,2024-06-04T14:43:20.796Z,0
CVE-2024-25625,https://securityvulnerability.io/vulnerability/CVE-2024-25625,Potential Security Vulnerability in Pimcore's Admin Classic Bundle,"A vulnerability in Pimcore's Admin Classic Bundle has been identified, specifically within the `invitationLinkAction` function of the UserController. This issue arises from improper handling of the HTTP host header, allowing an attacker to inject a malicious host header into requests directed at the /admin/user/invitationlink endpoint. As a result, URLs generated for user invitations may point to an attacker-controlled domain. The $loginUrl parameter in email invitations is constructed without proper validation of the host header, making this vulnerability a potential vector for phishing attacks. The recommended mitigation includes validating the host header to ensure it corresponds with the application's domain and employing a default trusted host mechanism when the incoming header is unrecognized or absent. Version 1.3.4 addresses this vulnerability with necessary patches.",Pimcore,Admin-ui-classic-bundle,8.1,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-02-19T15:41:29.147Z,0
CVE-2024-23646,https://securityvulnerability.io/vulnerability/CVE-2024-23646,Pimcore Admin Classic Bundle SQL Injection in Admin download files as zip,"The Pimcore Admin Classic Bundle, a backend interface for managing site files, suffers from a SQL Injection vulnerability due to improper validation of the `selectedIds` parameter in versions prior to 1.3.2. Any backend user with minimal permissions can leverage this vulnerability to execute arbitrary SQL commands, potentially allowing unauthorized access to sensitive data, modification of existing records, or elevation of their privileges to an administrative level. The issue has been resolved in version 1.3.2, which implements necessary input sanitization measures to prevent such exploitation.",pimcore,admin-ui-classic-bundle,8.8,HIGH,0.0010300000431016088,false,,false,false,false,,,false,false,,2024-01-24T19:41:49.578Z,0
CVE-2024-23648,https://securityvulnerability.io/vulnerability/CVE-2024-23648,Pimcore Admin Classic Bundle host header injection in the password reset,"The Admin Classic Bundle of Pimcore features a backend user interface that includes a password reset functionality. This system emails users a URL containing a unique token, which is valid for 24 hours, allowing them to reset their passwords. Prior to version 1.2.3, the vulnerability stemmed from how the reset-password URL was generated, leveraging the 'Host' HTTP header from the initial password reset request. Attackers could exploit this by sending fraudulent password reset requests, manipulating the 'Host' header to a controlled domain. If a user clicked the malicious link, the attacker could obtain the sensitive reset token, leading to potential account takeover. Users are advised to upgrade to version 1.2.3 or later to mitigate this risk.",pimcore,admin-ui-classic-bundle,8.8,HIGH,0.001829999964684248,false,,false,false,false,,,false,false,,2024-01-24T18:05:44.645Z,0
CVE-2023-49075,https://securityvulnerability.io/vulnerability/CVE-2023-49075,Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls,"The Admin Classic Bundle for Pimcore has a vulnerability that disables two-factor authentication across all non-admin security firewalls. This flaw allows authenticated users to bypass the two-factor authentication mechanism, providing them access to the system without the additional security credentials typically required. This issue was rectified in version 1.2.2, ensuring that the two-factor authentication process remains intact for all users.",pimcore,admin-ui-classic-bundle,7.2,HIGH,0.001339999958872795,false,,false,false,false,,,false,false,,2023-11-28T05:15:00.000Z,0
CVE-2023-47637,https://securityvulnerability.io/vulnerability/CVE-2023-47637,SQL Injection in Admin Grid Filter API in Pimcore,"The Pimcore Open Source Data & Experience Management Platform is vulnerable to SQL injection through the `/admin/object/grid-proxy` endpoint. This vulnerability arises when the `getFilterCondition()` method processes unsanitized input, permitting malicious users with basic permissions to execute arbitrary SQL queries. This flaw could lead to unauthorized data modifications or privilege escalations to admin-level access. Users are strongly encouraged to upgrade to version 11.1.1 to mitigate risks associated with this vulnerability. No workarounds are available.",Pimcore,Pimcore,8.8,HIGH,0.0012799999676644802,false,,false,false,false,,,false,false,,2023-11-15T20:15:00.000Z,0
CVE-2023-3819,https://securityvulnerability.io/vulnerability/CVE-2023-3819,Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore,Pimcore GmbH's Pimcore platform is susceptible to a sensitive information exposure vulnerability. This issue allows unauthorized actors to gain access to sensitive data in the GitHub repository for versions prior to 10.6.4. Developers and users are advised to upgrade to the latest version promptly to mitigate potential risks associated with unauthorized access to sensitive information.,Pimcore,Pimcore/pimcore,7.6,HIGH,0.0008500000112690032,false,,false,false,false,,,false,false,,2023-07-21T15:15:00.000Z,0
CVE-2023-3820,https://securityvulnerability.io/vulnerability/CVE-2023-3820,SQL Injection in pimcore/pimcore,"A SQL Injection vulnerability has been identified in the Pimcore product repository, affecting versions prior to 10.6.4. This weakness allows attackers to manipulate SQL queries through input channels, potentially leading to unauthorized data access or manipulation. Organizations using affected versions are encouraged to upgrade to mitigate possible security risks.",Pimcore,Pimcore/pimcore,7.2,HIGH,0.0011399999493733048,false,,false,false,false,,,false,false,,2023-07-21T15:15:00.000Z,0
CVE-2023-3673,https://securityvulnerability.io/vulnerability/CVE-2023-3673,SQL Injection in pimcore/pimcore,"A SQL Injection vulnerability exists in the Pimcore product version 10.5.23 and earlier that could allow attackers to manipulate database queries, potentially leading to unauthorized access to sensitive data. Proper input validation and parameterized queries are necessary to mitigate such risks, emphasizing the importance of regular updates and security audits in software development.",Pimcore,Pimcore/pimcore,7.2,HIGH,0.0011399999493733048,false,,false,false,false,,,false,false,,2023-07-14T13:15:00.000Z,0
CVE-2023-2983,https://securityvulnerability.io/vulnerability/CVE-2023-2983,Privilege Defined With Unsafe Actions in pimcore/pimcore,"The vulnerability discovered in Pimcore allows users to perform unsafe actions due to improperly defined privileges in versions prior to 10.5.23. This weakness can potentially be exploited by malicious actors to elevate their access rights, leading to unauthorized operations within the application. Proper measures should be taken to update to the latest version and mitigate any associated risks.",pimcore,pimcore/pimcore,8.8,HIGH,0.0014900000533089042,false,,false,false,false,,,false,false,,2023-05-30T00:00:00.000Z,0
CVE-2023-2984,https://securityvulnerability.io/vulnerability/CVE-2023-2984,Path Traversal: '\..\filename' in pimcore/pimcore,"A path traversal vulnerability allows attackers to manipulate file paths and gain unauthorized access to files outside the intended directory. In Pimcore versions prior to 10.5.22, this vulnerability exists due to improper handling of file input that permits traversal sequences such as '\..\filename'. Attackers could exploit this flaw to access sensitive files on the server, posing significant security risks. It is crucial for users to update to the latest version to mitigate potential threats associated with this vulnerability.",pimcore,pimcore/pimcore,8.8,HIGH,0.0013899999903514981,false,,false,false,false,,,false,false,,2023-05-30T00:00:00.000Z,0
CVE-2023-2756,https://securityvulnerability.io/vulnerability/CVE-2023-2756," SQL Injection in pimcore/customer-data-framework","An SQL Injection vulnerability has been identified in the Customer Data Framework developed by Pimcore. This vulnerability, present in versions prior to 3.3.10, allows attackers to inject malicious SQL code through unsanitized input parameters. Successful exploitation of this flaw can lead to unauthorized data access and potential data manipulation. Organizations using affected versions are advised to update to version 3.3.10 or later to mitigate this security risk.",Pimcore,Pimcore/customer-data-framework,7.2,HIGH,0.0014100000262260437,false,,false,false,false,,,false,false,,2023-05-17T00:00:00.000Z,0
CVE-2023-2629,https://securityvulnerability.io/vulnerability/CVE-2023-2629,Improper Neutralization of Formula Elements in a CSV File in pimcore/customer-data-framework,"An improper neutralization vulnerability in the Customer Data Framework by Pimcore allows attackers to manipulate formulas found in CSV files, potentially leading to data integrity issues. This flaw exists in versions prior to 3.3.9, where the system fails to adequately sanitize user input, which could be exploited by malicious users to inject harmful content into spreadsheet applications upon opening the CSV file.",Pimcore,Pimcore/customer-data-framework,7.8,HIGH,0.0008800000068731606,false,,false,false,false,,,false,false,,2023-05-10T00:00:00.000Z,0
CVE-2023-30850,https://securityvulnerability.io/vulnerability/CVE-2023-30850,Pimcore SQL Injection Vulnerability in Admin Translations API,"A vulnerability exists in the Pimcore Experience Management Platform prior to version 10.5.21 that allows for SQL Injection via the admin translations API. This can result in unauthorized access to sensitive data. Users are advised to upgrade to version 10.5.21 to mitigate this risk. Additionally, users can apply the patch manually as a temporary solution. For more details and the patch, refer to the provided documentation.",Pimcore,Pimcore,8.8,HIGH,0.001970000099390745,false,,false,false,false,,,false,false,,2023-04-27T17:15:00.000Z,0
CVE-2023-30848,https://securityvulnerability.io/vulnerability/CVE-2023-30848,Pimcore SQL Injection Vulnerability in Admin Search Find API,"Pimcore, an open-source data and experience management platform, has a SQL injection vulnerability in the admin search find API prior to version 10.5.21. This vulnerability can be exploited by attackers to manipulate queries, potentially gaining unauthorized access to sensitive data. Users are advised to upgrade to version 10.5.21 or apply the patch manually to mitigate this risk.",Pimcore,Pimcore,8.8,HIGH,0.001970000099390745,false,,false,false,false,,,false,false,,2023-04-27T16:15:00.000Z,0
CVE-2023-30849,https://securityvulnerability.io/vulnerability/CVE-2023-30849,Pimcore vulnerable to SQL Injection in Translation Export API,"The Pimcore platform, a leading open-source data and experience management solution, has been identified to contain a SQL injection vulnerability in its translation export API. When exploited, this vulnerability could allow attackers to manipulate the application's database, leading to unauthorized access or data compromise. Users are strongly encouraged to upgrade to version 10.5.21, which contains the necessary security patch, or to manually apply the patch to mitigate any potential risks. Proper security measures should be implemented to safeguard data integrity and privacy.",Pimcore,Pimcore,8.8,HIGH,0.001970000099390745,false,,false,false,false,,,false,false,,2023-04-27T16:15:00.000Z,0
CVE-2023-2338,https://securityvulnerability.io/vulnerability/CVE-2023-2338," SQL Injection in pimcore/pimcore","An SQL Injection vulnerability has been identified in Pimcore, allowing attackers to manipulate queries by injecting malicious SQL code. This could lead to unauthorized access to sensitive data and compromise the integrity of the application. Users are advised to upgrade to version 10.5.21 or later to mitigate these risks.",Pimcore,Pimcore/pimcore,8.8,HIGH,0.0012499999720603228,false,,false,false,false,,,false,false,,2023-04-27T00:00:00.000Z,0
CVE-2023-28438,https://securityvulnerability.io/vulnerability/CVE-2023-28438,Pimcore vulnerable to improper quoting of filters in Custom Reports,"Pimcore, an open-source data and experience management platform, is vulnerable to SQL injection due to improper handling of user permissions. Users with 'report' permission can execute arbitrary SQL queries via a GET request without CSRF protection. This vulnerability allows attackers to craft a malicious link, tricking authorized users into executing harmful SQL commands. It is crucial for users to upgrade to version 10.5.19 or manually apply the recommended patches to mitigate this risk.",pimcore,pimcore,8,HIGH,0.0019600000232458115,false,,false,false,false,,,false,false,,2023-03-22T21:15:00.000Z,0
CVE-2023-1578,https://securityvulnerability.io/vulnerability/CVE-2023-1578," SQL Injection in pimcore/pimcore","A SQL Injection vulnerability has been identified in the Pimcore platform, specifically affecting versions prior to 10.5.19. This vulnerability can allow attackers to manipulate SQL queries via crafted inputs, potentially leading to unauthorized data access and compromise of sensitive information. Organizations using affected versions are urged to update to the latest version to mitigate risks associated with this vulnerability.",pimcore,pimcore/pimcore,8.8,HIGH,0.0011399999493733048,false,,false,false,false,,,false,false,,2023-03-22T00:00:00.000Z,0
CVE-2023-28108,https://securityvulnerability.io/vulnerability/CVE-2023-28108,"Pimcore has improper quoting of columns when calling methods ""getByUuid"" & ""exists"" on UUID Model","Pimcore, a leading open-source data and experience management platform, has a notable vulnerability affecting versions prior to 10.5.19. This vulnerability arises from inadequate quoting in the UUID DAO model, leading to potential SQL injection risks. If developers utilize these methods without proper input validation, they may inadvertently allow the injection of custom SQL queries. It is crucial for users to upgrade to version 10.5.19 to receive the necessary patch or alternatively apply the patch manually to secure their applications.",pimcore,pimcore,7.8,HIGH,0.0004400000034365803,false,,false,false,false,,,false,false,,2023-03-16T17:15:00.000Z,0
CVE-2023-25240,https://securityvulnerability.io/vulnerability/CVE-2023-25240,Improper SameSite Attribute Vulnerability in PimCore by PimCore,"An improper SameSite attribute vulnerability in PimCore version 10.5.15 can be exploited by attackers to execute arbitrary code. This weakness occurs when the SameSite attribute is not applied correctly, making it possible for malicious actors to bypass intended security measures. Users of this version are urged to perform immediate updates and implement security best practices to mitigate potential risks.",Pimcore,Pimcore,8.8,HIGH,0.0035000001080334187,false,,false,false,false,,,false,false,,2023-02-13T00:00:00.000Z,0
CVE-2022-39365,https://securityvulnerability.io/vulnerability/CVE-2022-39365,RCE vulnerability in Pimcore/Mail & Dynamic Text Layout,"Pimcore is an open source data and experience management platform. Prior to version 10.5.9, the user controlled twig templates rendering in `Pimcore/Mail` & `ClassDefinition\Layout\Text` is vulnerable to server-side template injection, which could lead to remote code execution. Version 10.5.9 contains a patch for this issue. As a workaround, one may apply the patch manually.",Pimcore,Pimcore,9.8,CRITICAL,0.01892000064253807,false,,false,false,false,,,false,false,,2022-10-27T00:00:00.000Z,0
CVE-2022-31092,https://securityvulnerability.io/vulnerability/CVE-2022-31092,SQL injection in pimcore,"Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the listing classes. This issue has been resolved in version 10.4.4. Users are advised to upgrade or to apple the patch manually. There are no known workarounds for this issue.",Pimcore,Pimcore,7.5,HIGH,0.0034099998883903027,false,,false,false,false,,,false,false,,2022-06-27T21:25:12.000Z,0
CVE-2022-1429,https://securityvulnerability.io/vulnerability/CVE-2022-1429,SQL injection in GridHelperService.php in pimcore/pimcore,SQL injection in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6. This vulnerability is capable of steal the data,pimcore,pimcore/pimcore,7.5,HIGH,0.0028299998957663774,false,,false,false,false,,,false,false,,2022-04-22T09:10:10.000Z,0
CVE-2022-1339,https://securityvulnerability.io/vulnerability/CVE-2022-1339,SQL injection in ElementController.php in pimcore/pimcore,SQL injection in ElementController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data,Pimcore,Pimcore/pimcore,8.8,HIGH,0.0028299998957663774,false,,false,false,false,,,false,false,,2022-04-13T09:45:15.000Z,0