Pimcore Admin Classic Bundle Vulnerable to SQL Injection Attacks

CVECVE-2024-23646
CVSScvssV3_1: 8.8
SourceCVE-2024-23646

Pimcore is an open source content management system (CMS) written in PHP. It provides tools to manage digital content like documents, images, products and more.

The Pimcore Admin Classic Bundle, which powers the backend admin interface, was found to have a SQL injection vulnerability before version 1.3.2. Attackers could potentially exploit this to access or alter any data in the database just by having basic user permissions.

SQL injection occurs when user-supplied input is inserted into an SQL query without validation or sanitization. This allows an attacker to manipulate the query’s structure and even execute unauthorized commands on the database.

In this case, the “selectedIds” parameter was not properly sanitized before being used in a SQL WHERE clause. A malicious user could craft inputs that changed the meaning of the query, allowing them to view or modify data they shouldn’t have access to.

Pimcore has released version 1.3.2 which fixes this issue. Administrators should upgrade immediately. Users should also ensure they are running the latest version to protect their sites and data. Always keep your software up-to-date with the latest patches as many vulnerabilities are fixed over time.

References