| 0 |
| url |
VCID-13m1-u59p-eue5 |
| vulnerability_id |
VCID-13m1-u59p-eue5 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
CVE-2023-1517, GHSA-42x8-2v53-pqmj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-13m1-u59p-eue5 |
|
| 1 |
|
| 2 |
| url |
VCID-354d-zv99-73g6 |
| vulnerability_id |
VCID-354d-zv99-73g6 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
| 1 |
|
|
| aliases |
CVE-2023-1312, GHSA-gh4g-65f6-84g5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-354d-zv99-73g6 |
|
| 3 |
| url |
VCID-3et6-gmgj-h7bn |
| vulnerability_id |
VCID-3et6-gmgj-h7bn |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2327, GHSA-x9xj-pqmv-8jf7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3et6-gmgj-h7bn |
|
| 4 |
| url |
VCID-3ref-crmy-eucd |
| vulnerability_id |
VCID-3ref-crmy-eucd |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.20 |
| purl |
pkg:composer/pimcore/pimcore@10.5.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 3 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 4 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 5 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 6 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 7 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 8 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 9 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 10 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 11 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 12 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 13 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 14 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 15 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 16 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 17 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 18 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 19 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 20 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 21 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 22 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 23 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 24 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 25 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 26 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 27 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 28 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 29 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 30 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 31 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 32 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 33 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 34 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 35 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 36 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.20 |
|
| 1 |
|
|
| aliases |
CVE-2023-1702, GHSA-69fc-v223-6rjw, GHSA-6qjm-39vh-729w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3ref-crmy-eucd |
|
| 5 |
| url |
VCID-4dk6-cfer-t7b5 |
| vulnerability_id |
VCID-4dk6-cfer-t7b5 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2614, GHSA-m6m9-gr85-79vm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4dk6-cfer-t7b5 |
|
| 6 |
| url |
VCID-5qj5-vh6d-7khq |
| vulnerability_id |
VCID-5qj5-vh6d-7khq |
| summary |
Cross-site Scripting (XSS) in Conditions tab of Pricing Rules
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2332, GHSA-r7mm-jx6h-hv7m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5qj5-vh6d-7khq |
|
| 7 |
| url |
VCID-5tz5-h4wq-3qfy |
| vulnerability_id |
VCID-5tz5-h4wq-3qfy |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2323, GHSA-cjv6-w5hf-5wr6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5tz5-h4wq-3qfy |
|
| 8 |
| url |
VCID-68hd-e927-4kcu |
| vulnerability_id |
VCID-68hd-e927-4kcu |
| summary |
Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing
The application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This violates OWASP A01:2021 Broken Access Control, as function-level authorization is absent, allowing unauthorized access to internal routing metadata. Without validation, the endpoint exposes route structures, potentially revealing application architecture, endpoints, or custom logic intended for administrative roles only. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-23494, GHSA-m3r2-724c-pwgf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-68hd-e927-4kcu |
|
| 9 |
| url |
VCID-6w41-7cfk-j7cn |
| vulnerability_id |
VCID-6w41-7cfk-j7cn |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2616, GHSA-mhpj-7m7h-8p6x
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6w41-7cfk-j7cn |
|
| 10 |
| url |
VCID-81mh-qb4b-n7a8 |
| vulnerability_id |
VCID-81mh-qb4b-n7a8 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 11.0.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-1247, GHSA-8wg7-88cg-7p9j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-81mh-qb4b-n7a8 |
|
| 11 |
| url |
VCID-93rb-sj45-w3fh |
| vulnerability_id |
VCID-93rb-sj45-w3fh |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
CVE-2023-1429, GHSA-3223-w774-99fq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-93rb-sj45-w3fh |
|
| 12 |
| url |
VCID-979q-g8dh-1fgw |
| vulnerability_id |
VCID-979q-g8dh-1fgw |
| summary |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2336, GHSA-hg77-vx9v-f49x
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-979q-g8dh-1fgw |
|
| 13 |
| url |
VCID-9ra4-dac9-7qba |
| vulnerability_id |
VCID-9ra4-dac9-7qba |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2339, GHSA-6fvf-x8c6-2f6j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9ra4-dac9-7qba |
|
| 14 |
|
| 15 |
| url |
VCID-c2j7-ywhr-3ff3 |
| vulnerability_id |
VCID-c2j7-ywhr-3ff3 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2630, GHSA-w766-3572-f2hv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c2j7-ywhr-3ff3 |
|
| 16 |
| url |
VCID-c5af-wpgt-dkep |
| vulnerability_id |
VCID-c5af-wpgt-dkep |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2343, GHSA-9q7q-r54q-3f3g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c5af-wpgt-dkep |
|
| 17 |
| url |
VCID-cbx2-f95n-kqgd |
| vulnerability_id |
VCID-cbx2-f95n-kqgd |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-4453, GHSA-599v-h3q5-g6r9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cbx2-f95n-kqgd |
|
| 18 |
| url |
VCID-cgzf-jppn-q7ff |
| vulnerability_id |
VCID-cgzf-jppn-q7ff |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pimcore/pimcore. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
GHSA-rrwm-8wqm-gwgv, GMS-2023-781
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cgzf-jppn-q7ff |
|
| 19 |
| url |
VCID-d7zd-p4g6-ryd1 |
| vulnerability_id |
VCID-d7zd-p4g6-ryd1 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
CVE-2023-1515, GHSA-66cm-c7ch-5j8q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d7zd-p4g6-ryd1 |
|
| 20 |
| url |
VCID-de3u-8wqt-uyc2 |
| vulnerability_id |
VCID-de3u-8wqt-uyc2 |
| summary |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite.
The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-38708, GHSA-34hj-v8fm-x887
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-de3u-8wqt-uyc2 |
|
| 21 |
| url |
VCID-dhdb-wakw-pufe |
| vulnerability_id |
VCID-dhdb-wakw-pufe |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-5873, GHSA-j59v-hh4p-q92m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dhdb-wakw-pufe |
|
| 22 |
| url |
VCID-drty-cbue-3kcv |
| vulnerability_id |
VCID-drty-cbue-3kcv |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2342, GHSA-2c67-p4xh-m34w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-drty-cbue-3kcv |
|
| 23 |
| url |
VCID-e11t-ywn5-v7gp |
| vulnerability_id |
VCID-e11t-ywn5-v7gp |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2322, GHSA-476g-v7hf-cw5m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e11t-ywn5-v7gp |
|
| 24 |
| url |
VCID-f4vw-12f3-wfgb |
| vulnerability_id |
VCID-f4vw-12f3-wfgb |
| summary |
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries.
Affected code in models/Dependency/Dao.php:
- getFilterRequiresByPath() lines 90, 95, 100
- getFilterRequiredByPath() lines 148, 153, 158
All 6 locations use direct string concatenation like:
"AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'"
Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly `whitelist`-validated, but $value has zero sanitization.
Entry points (pimcore/admin-ui-classic-bundle ElementController.php):
- GET /admin/element/get-requires-dependencies (line 654)
- GET /admin/element/get-required-by-dependencies (line 714)
The controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping.
PoC (time-based blind): |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-27461, GHSA-vxg3-v4p6-f3fp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f4vw-12f3-wfgb |
|
| 25 |
| url |
VCID-f5cg-bkw2-hqct |
| vulnerability_id |
VCID-f5cg-bkw2-hqct |
| summary |
Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-23493, GHSA-q433-j342-rp9h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f5cg-bkw2-hqct |
|
| 26 |
| url |
VCID-f7yk-9pys-t7dr |
| vulnerability_id |
VCID-f7yk-9pys-t7dr |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.20 |
| purl |
pkg:composer/pimcore/pimcore@10.5.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 3 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 4 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 5 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 6 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 7 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 8 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 9 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 10 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 11 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 12 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 13 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 14 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 15 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 16 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 17 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 18 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 19 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 20 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 21 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 22 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 23 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 24 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 25 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 26 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 27 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 28 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 29 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 30 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 31 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 32 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 33 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 34 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 35 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 36 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.20 |
|
| 1 |
|
|
| aliases |
CVE-2023-1703, GHSA-3r5c-h7g6-cqw7, GHSA-4f25-2x2c-vg6v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f7yk-9pys-t7dr |
|
| 27 |
| url |
VCID-gs48-295u-mqdt |
| vulnerability_id |
VCID-gs48-295u-mqdt |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
| 1 |
|
|
| aliases |
CVE-2023-1286, GHSA-8jv7-vwrc-mv4g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gs48-295u-mqdt |
|
| 28 |
|
| 29 |
| url |
VCID-j9qv-7wsq-mkf6 |
| vulnerability_id |
VCID-j9qv-7wsq-mkf6 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.20. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.20 |
| purl |
pkg:composer/pimcore/pimcore@10.5.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 3 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 4 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 5 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 6 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 7 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 8 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 9 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 10 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 11 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 12 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 13 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 14 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 15 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 16 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 17 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 18 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 19 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 20 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 21 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 22 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 23 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 24 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 25 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 26 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 27 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 28 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 29 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 30 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 31 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 32 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 33 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 34 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 35 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 36 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.20 |
|
| 1 |
|
|
| aliases |
CVE-2023-1701, GHSA-6mmf-qm37-pmgg, GHSA-7r35-chv4-xr3r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j9qv-7wsq-mkf6 |
|
| 30 |
| url |
VCID-jgxx-v2wj-zkfh |
| vulnerability_id |
VCID-jgxx-v2wj-zkfh |
| summary |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2338, GHSA-4x35-vr82-xvj6
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jgxx-v2wj-zkfh |
|
| 31 |
| url |
VCID-jxr2-qjbz-17ha |
| vulnerability_id |
VCID-jxr2-qjbz-17ha |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2361, GHSA-9xg6-75mh-7x3f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jxr2-qjbz-17ha |
|
| 32 |
| url |
VCID-m9aa-5k15-dfap |
| vulnerability_id |
VCID-m9aa-5k15-dfap |
| summary |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-30848, GHSA-6mhm-gcpf-5gr8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m9aa-5k15-dfap |
|
| 33 |
| url |
VCID-mapb-drtt-rbez |
| vulnerability_id |
VCID-mapb-drtt-rbez |
| summary |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, a SQL Injection vulnerability exists in the admin translations API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-30850, GHSA-jwg4-qcgv-5wg6
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mapb-drtt-rbez |
|
| 34 |
|
| 35 |
| url |
VCID-mwu6-2hxd-efc2 |
| vulnerability_id |
VCID-mwu6-2hxd-efc2 |
| summary |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and `scripts` parameters. The `scriptPath` parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of `../` patterns to go out from the application webroot followed by path of the folder where the file is located in the "scriptPath" parameter and the file name in the "scripts" parameter. The JavaScript file is successfully read only if the web application has read access to it. Users should update to version 10.5.21 to receive a patch or, as a workaround, apply the patch manual. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-30852, GHSA-j5c3-r84f-9596
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mwu6-2hxd-efc2 |
|
| 36 |
| url |
VCID-n6h3-gsty-sua2 |
| vulnerability_id |
VCID-n6h3-gsty-sua2 |
| summary |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-30849, GHSA-xmg8-w465-mr56
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n6h3-gsty-sua2 |
|
| 37 |
| url |
VCID-p7w5-8ynh-xuh4 |
| vulnerability_id |
VCID-p7w5-8ynh-xuh4 |
| summary |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
CVE-2023-1578, GHSA-42c3-wvww-gcqj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p7w5-8ynh-xuh4 |
|
| 38 |
| url |
VCID-q7xb-xff7-77cf |
| vulnerability_id |
VCID-q7xb-xff7-77cf |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-3822, GHSA-vmpv-qjhq-r463
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q7xb-xff7-77cf |
|
| 39 |
| url |
VCID-qn3n-hpd2-7baf |
| vulnerability_id |
VCID-qn3n-hpd2-7baf |
| summary |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
CVE-2023-28438, GHSA-vf7q-g2pv-jxvx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qn3n-hpd2-7baf |
|
| 40 |
| url |
VCID-qv8v-b5t4-jqb9 |
| vulnerability_id |
VCID-qv8v-b5t4-jqb9 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/pimcore/pimcore/pull/14669.patch |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:29:14Z/ |
|
|
| url |
https://github.com/pimcore/pimcore/pull/14669.patch |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
CVE-2023-28106, GHSA-x5j3-mq9g-8jc8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qv8v-b5t4-jqb9 |
|
| 41 |
| url |
VCID-t6ek-fzh4-mbdu |
| vulnerability_id |
VCID-t6ek-fzh4-mbdu |
| summary |
Reflected XSS in Application Logger module
### Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.
### Patches
Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/pull/14606.patch
### Workarounds
Apply https://github.com/pimcore/pimcore/pull/14606.patch manually.
### References
https://huntr.dev/bounties/2a64a32d-b1cc-4def-91da-18040d59f356/ |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
GHSA-2xpm-cmvw-3jcc, GMS-2023-779
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t6ek-fzh4-mbdu |
|
| 42 |
| url |
VCID-tkcj-gar9-dbbh |
| vulnerability_id |
VCID-tkcj-gar9-dbbh |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.20. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.20 |
| purl |
pkg:composer/pimcore/pimcore@10.5.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 3 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 4 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 5 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 6 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 7 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 8 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 9 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 10 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 11 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 12 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 13 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 14 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 15 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 16 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 17 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 18 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 19 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 20 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 21 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 22 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 23 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 24 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 25 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 26 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 27 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 28 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 29 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 30 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 31 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 32 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 33 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 34 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 35 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 36 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.20 |
|
| 1 |
|
|
| aliases |
CVE-2023-1704, GHSA-hfmg-g39c-5444, GHSA-rp78-4562-gx3c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tkcj-gar9-dbbh |
|
| 43 |
| url |
VCID-uaf3-v6zj-uuc3 |
| vulnerability_id |
VCID-uaf3-v6zj-uuc3 |
| summary |
Pimcore Has an Incomplete Patch for CVE-2023-30848
An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**.
Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-23492, GHSA-qvr7-7g55-69xj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uaf3-v6zj-uuc3 |
|
| 44 |
| url |
VCID-uxdh-6r6k-h7fr |
| vulnerability_id |
VCID-uxdh-6r6k-h7fr |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2615, GHSA-q7cc-m6jw-m262
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uxdh-6r6k-h7fr |
|
| 45 |
| url |
VCID-v6d4-h4sz-4yad |
| vulnerability_id |
VCID-v6d4-h4sz-4yad |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2340, GHSA-g93x-fm2w-5pxw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v6d4-h4sz-4yad |
|
| 46 |
| url |
VCID-wdud-ckq4-wqfa |
| vulnerability_id |
VCID-wdud-ckq4-wqfa |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 10.5.19 or, as a workaround, apply the patch manually. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
CVE-2023-28429, GHSA-rcg9-hrhx-6q69
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wdud-ckq4-wqfa |
|
| 47 |
| url |
VCID-wzbf-bazj-4kgy |
| vulnerability_id |
VCID-wzbf-bazj-4kgy |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-3821, GHSA-78q2-cv3p-x9fm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wzbf-bazj-4kgy |
|
| 48 |
| url |
VCID-xfwh-3838-j7ct |
| vulnerability_id |
VCID-xfwh-3838-j7ct |
| summary |
Cross-Site Request Forgery (CSRF)
Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-47637, GHSA-72hh-xf79-429p
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xfwh-3838-j7ct |
|
| 49 |
|
| 50 |
| url |
VCID-y92e-mb7u-sueg |
| vulnerability_id |
VCID-y92e-mb7u-sueg |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2328, GHSA-2295-vh28-pphc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y92e-mb7u-sueg |
|
| 51 |
| url |
VCID-ycet-r6tz-yyhn |
| vulnerability_id |
VCID-ycet-r6tz-yyhn |
| summary |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.19 |
| purl |
pkg:composer/pimcore/pimcore@10.5.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-3et6-gmgj-h7bn |
|
| 2 |
| vulnerability |
VCID-3ref-crmy-eucd |
|
| 3 |
| vulnerability |
VCID-4dk6-cfer-t7b5 |
|
| 4 |
| vulnerability |
VCID-5qj5-vh6d-7khq |
|
| 5 |
| vulnerability |
VCID-5tz5-h4wq-3qfy |
|
| 6 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 7 |
| vulnerability |
VCID-6w41-7cfk-j7cn |
|
| 8 |
| vulnerability |
VCID-979q-g8dh-1fgw |
|
| 9 |
| vulnerability |
VCID-9ra4-dac9-7qba |
|
| 10 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 11 |
| vulnerability |
VCID-c2j7-ywhr-3ff3 |
|
| 12 |
| vulnerability |
VCID-c5af-wpgt-dkep |
|
| 13 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 14 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 15 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 16 |
| vulnerability |
VCID-drty-cbue-3kcv |
|
| 17 |
| vulnerability |
VCID-e11t-ywn5-v7gp |
|
| 18 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 19 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 20 |
| vulnerability |
VCID-f7yk-9pys-t7dr |
|
| 21 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 22 |
| vulnerability |
VCID-j9qv-7wsq-mkf6 |
|
| 23 |
| vulnerability |
VCID-jgxx-v2wj-zkfh |
|
| 24 |
| vulnerability |
VCID-jxr2-qjbz-17ha |
|
| 25 |
| vulnerability |
VCID-m9aa-5k15-dfap |
|
| 26 |
| vulnerability |
VCID-mapb-drtt-rbez |
|
| 27 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 28 |
| vulnerability |
VCID-mwu6-2hxd-efc2 |
|
| 29 |
| vulnerability |
VCID-n6h3-gsty-sua2 |
|
| 30 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 31 |
| vulnerability |
VCID-tkcj-gar9-dbbh |
|
| 32 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 33 |
| vulnerability |
VCID-uxdh-6r6k-h7fr |
|
| 34 |
| vulnerability |
VCID-v6d4-h4sz-4yad |
|
| 35 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 36 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 37 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 38 |
| vulnerability |
VCID-y92e-mb7u-sueg |
|
| 39 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
| 40 |
| vulnerability |
VCID-zth5-afz8-uya7 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.19 |
|
|
| aliases |
CVE-2023-28108, GHSA-xc9p-r5qj-8xm9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ycet-r6tz-yyhn |
|
| 52 |
|
| 53 |
| url |
VCID-zth5-afz8-uya7 |
| vulnerability_id |
VCID-zth5-afz8-uya7 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pimcore/pimcore@10.5.21 |
| purl |
pkg:composer/pimcore/pimcore@10.5.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1hqj-r197-dyfe |
|
| 1 |
| vulnerability |
VCID-68hd-e927-4kcu |
|
| 2 |
| vulnerability |
VCID-bb65-xxsn-m3gv |
|
| 3 |
| vulnerability |
VCID-cbx2-f95n-kqgd |
|
| 4 |
| vulnerability |
VCID-de3u-8wqt-uyc2 |
|
| 5 |
| vulnerability |
VCID-dhdb-wakw-pufe |
|
| 6 |
| vulnerability |
VCID-f4vw-12f3-wfgb |
|
| 7 |
| vulnerability |
VCID-f5cg-bkw2-hqct |
|
| 8 |
| vulnerability |
VCID-hed9-c39j-87g2 |
|
| 9 |
| vulnerability |
VCID-mcrd-q5wz-d7dk |
|
| 10 |
| vulnerability |
VCID-q7xb-xff7-77cf |
|
| 11 |
| vulnerability |
VCID-uaf3-v6zj-uuc3 |
|
| 12 |
| vulnerability |
VCID-wzbf-bazj-4kgy |
|
| 13 |
| vulnerability |
VCID-xfwh-3838-j7ct |
|
| 14 |
| vulnerability |
VCID-xgwg-8q8s-cbfk |
|
| 15 |
| vulnerability |
VCID-zbp5-8ec3-gfe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pimcore/pimcore@10.5.21 |
|
|
| aliases |
CVE-2023-2341, GHSA-fq95-rx4q-qgg2
|
| risk_score |
3.3 |
| exploitability |
0.5 |
| weighted_severity |
6.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zth5-afz8-uya7 |
|