CVE-2023-28438 MEDIUM

CVE-2023-28438: Pimcore vulnerable to improper quoting of filters in Custom Reports

Vendor Pimcore
Product pimcore
Weakness CWE-89 · SQLi
Published March 22, 2023
Last update February 25, 2025

CVSS base score

6.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.

Key dates

02Disclosure timeline

March 22, 2023 CVE published
February 25, 2025 Record updated