CVE-2023-28438

Опубликовано: 22 мар. 2023

Источник: nvd

CVSS3: 6.2

CVSS3: 8

EPSS Низкий

Описание

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.

Ссылки

https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch
Patch
https://github.com/pimcore/pimcore/pull/14526
Patch
Vendor Advisory
https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx
Patch
Vendor Advisory
https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch
Patch
https://github.com/pimcore/pimcore/pull/14526
Patch
Vendor Advisory
https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Версия до 10.5.19 (исключая)

EPSS

Процентиль: 0%

0.00004

Низкий

6.2 Medium

CVSS3

8 High

CVSS3

Дефекты

CWE-89

Связанные уязвимости

GHSA-vf7q-g2pv-jxvx

CVSS3: 6.2

github

почти 3 года назад

Pimcore vulnerable to improper quoting of filters in Custom Reports

EPSS

Процентиль: 0%

0.00004

Низкий

6.2 Medium

CVSS3

8 High

CVSS3

Дефекты

CWE-89