CVE-2023-30855 MEDIUM

CVE-2023-30855: Pimcore Path Traversal Vulnerability in AdminBundle/Controller/Reports/CustomReportController.php

Vendor Pimcore

Product pimcore

Weakness CWE-22 · Path traversal

Published May 8, 2023

Last update January 29, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Pimcore is an open source data and experience management platform. Versions of Pimcore prior to 10.5.18 are vulnerable to path traversal. The impact of this path traversal and arbitrary extension is limited to creation of arbitrary files and appending data to existing files. When combined with the SQL Injection, the exported data `RESTRICTED DIFFUSION 9 / 9` can be controlled and a webshell can be uploaded. Attackers can use that to execute arbitrary PHP code on the server with the permissions of the webserver. Users may upgrade to version 10.5.18 to receive a patch or, as a workaround, apply the patch manually.

Key dates

02Disclosure timeline

May 8, 2023 CVE published

January 29, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-30855 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/22.html

Related vulnerabilities

CVE-2023-30855: Pimcore Path Traversal Vulnerability in AdminBundle/Controller/Reports/CustomReportController.php

01Description

02Disclosure timeline

03References

04Related CVE