CVE-2025-27617

Опубликовано: 11 мар. 2025

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.

Ссылки

https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47
Product
https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.php#L332-L347
Product
https://github.com/pimcore/pimcore/commit/19a8520895484e68fd254773e32476565d91deea
Patch
https://github.com/pimcore/pimcore/security/advisories/GHSA-qjpx-5m2p-5pgh
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Версия до 11.5.4 (исключая)

EPSS

Процентиль: 66%

0.0051

Низкий

8.8 High

CVSS3

Дефекты

CWE-89

Связанные уязвимости

GHSA-qjpx-5m2p-5pgh

github

11 месяцев назад

Pimcore Vulnerable to SQL Injection in getRelationFilterCondition