Package Instance

Pimcore Vulnerable to SQL Injection in getRelationFilterCondition
Authenticated users can craft a filter string used to cause a SQL injection.

Pimcore Has an Incomplete Patch for CVE-2023-30848
An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**.
Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**.

Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause
The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries.

Affected code in models/Dependency/Dao.php:
- getFilterRequiresByPath() lines 90, 95, 100
- getFilterRequiredByPath() lines 148, 153, 158

All 6 locations use direct string concatenation like:

"AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'"

Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly `whitelist`-validated, but $value has zero sanitization.

Entry points (pimcore/admin-ui-classic-bundle ElementController.php):
- GET /admin/element/get-requires-dependencies (line 654)
- GET /admin/element/get-required-by-dependencies (line 714)

The controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping.

PoC (time-based blind):

Flooding Server with Thumbnail files
All Pimcore Instances are affected, as far as we can see, also all versions

Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing
The application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This violates OWASP A01:2021 Broken Access Control, as function-level authorization is absent, allowing unauthorized access to internal routing metadata. Without validation, the endpoint exposes route structures, potentially revealing application architecture, endpoints, or custom logic intended for administrative roles only.

Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend.

Pimcore TinyMCE Bundle - tinymce CVE-2024-29203, CVE-2024-29881
The TineMCE Bundle uses tinymce version 6.7.3. CVEs for this version exists for <6.8.1:
https://nvd.nist.gov/vuln/detail/CVE-2024-29203
https://nvd.nist.gov/vuln/detail/CVE-2024-29881