CVE-2024-32871 HIGH

CVE-2024-32871: Pimcore Vulnerable to Flooding Server with Thumbnail files

Vendor Pimcore
Product pimcore
Weakness CWE-770 · Uncontrolled resource consumption
Published June 4, 2024
Last update August 2, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4.

Key dates

02Disclosure timeline

June 4, 2024 CVE published
August 2, 2024 Record updated