Search for packages
| purl | pkg:composer/pimcore/pimcore@10.0.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-13m1-u59p-eue5
Aliases: CVE-2023-1517 GHSA-42x8-2v53-pqmj |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 41 other vulnerabilities. |
|
VCID-1hqj-r197-dyfe
Aliases: CVE-2023-2983 GHSA-m4mv-rmr7-h5f5 |
Privilege Defined With Unsafe Actions in GitHub repository pimcore/pimcore prior to 10.5.23. |
Affected by 14 other vulnerabilities. |
|
VCID-1r65-1mjp-23gr
Aliases: CVE-2022-0285 GHSA-pm3v-qxf6-fgxv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored XSS in Packagist pimcore/pimcore. |
Affected by 83 other vulnerabilities. |
|
VCID-1w28-9z15-4qck
Aliases: CVE-2021-4084 GHSA-8w3x-r6x7-c5r5 |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 90 other vulnerabilities. |
|
VCID-295b-zzh8-q3h3
Aliases: CVE-2022-0705 GHSA-xmq3-hgjx-6997 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 74 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-2jc7-hjcd-3qfb
Aliases: CVE-2022-0893 GHSA-g795-4hxx-qqwm |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 74 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-2u9x-hqp2-77g6
Aliases: CVE-2022-0251 GHSA-f7q6-xxph-mfm8 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A stored Cross-site Scripting (XSS) vulnerability was found in pimcore. |
Affected by 94 other vulnerabilities. Affected by 82 other vulnerabilities. |
|
VCID-354d-zv99-73g6
Aliases: CVE-2023-1312 GHSA-gh4g-65f6-84g5 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 41 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-3et6-gmgj-h7bn
Aliases: CVE-2023-2327 GHSA-x9xj-pqmv-8jf7 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-3ref-crmy-eucd
Aliases: CVE-2023-1702 GHSA-69fc-v223-6rjw GHSA-6qjm-39vh-729w |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20. |
Affected by 37 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-3xpj-x3xh-7ub9
Aliases: CVE-2022-3211 GHSA-4849-x3jx-45qr |
Affected by 64 other vulnerabilities. |
|
|
VCID-4dk6-cfer-t7b5
Aliases: CVE-2023-2614 GHSA-m6m9-gr85-79vm |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-4p8y-eknc-zfgn
Aliases: CVE-2023-1117 GHSA-qxcw-rf4v-hp26 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18. |
Affected by 54 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-55g4-28a9-u7dc
Aliases: CVE-2021-39170 GHSA-2v88-qq7x-xq5f |
Cross-site Scripting Pimcore is an open source data & experience management platform. An authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore As a workaround, users may apply the patch manually. |
Affected by 97 other vulnerabilities. |
|
VCID-5qj5-vh6d-7khq
Aliases: CVE-2023-2332 GHSA-r7mm-jx6h-hv7m |
Cross-site Scripting (XSS) in Conditions tab of Pricing Rules This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. |
Affected by 16 other vulnerabilities. |
|
VCID-5tz5-h4wq-3qfy
Aliases: CVE-2023-2323 GHSA-cjv6-w5hf-5wr6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-68hd-e927-4kcu
Aliases: CVE-2026-23494 GHSA-m3r2-724c-pwgf |
Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing The application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This violates OWASP A01:2021 Broken Access Control, as function-level authorization is absent, allowing unauthorized access to internal routing metadata. Without validation, the endpoint exposes route structures, potentially revealing application architecture, endpoints, or custom logic intended for administrative roles only. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-6w41-7cfk-j7cn
Aliases: CVE-2023-2616 GHSA-mhpj-7m7h-8p6x |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-7w3s-bvdz-bfht
Aliases: CVE-2022-1219 GHSA-6gm7-j668-w6h9 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection in RecyclebinController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data |
Affected by 68 other vulnerabilities. |
|
VCID-81mh-qb4b-n7a8
Aliases: CVE-2023-1247 GHSA-8wg7-88cg-7p9j |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 11.0.0. |
Affected by 9 other vulnerabilities. |
|
VCID-84sb-282p-abb6
Aliases: CVE-2022-39365 GHSA-5qxq-vgmm-q39m |
Affected by 62 other vulnerabilities. |
|
|
VCID-8t1x-kdp9-jkag
Aliases: CVE-2022-2796 GHSA-pr4f-4pcx-2r3h |
Affected by 65 other vulnerabilities. |
|
|
VCID-93rb-sj45-w3fh
Aliases: CVE-2023-1429 GHSA-3223-w774-99fq |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 41 other vulnerabilities. |
|
VCID-979q-g8dh-1fgw
Aliases: CVE-2023-2336 GHSA-hg77-vx9v-f49x |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-97te-6pwk-bbb4
Aliases: CVE-2022-0510 GHSA-mxh3-2699-98g9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore |
Affected by 74 other vulnerabilities. |
|
VCID-9m1k-bypd-zber
Aliases: CVE-2023-1116 GHSA-96hp-38wx-j3wc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18. |
Affected by 54 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-9ra4-dac9-7qba
Aliases: CVE-2023-2339 GHSA-6fvf-x8c6-2f6j |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-a9e8-ky44-s3gc
Aliases: CVE-2022-0831 GHSA-q67f-3jq4-mww2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3. |
Affected by 73 other vulnerabilities. |
|
VCID-bb65-xxsn-m3gv
Aliases: CVE-2025-27617 GHSA-qjpx-5m2p-5pgh |
Affected by 4 other vulnerabilities. |
|
|
VCID-bexg-r2xt-6ycy
Aliases: CVE-2021-39189 GHSA-579x-cjvr-cqj9 |
Information Exposure Through Discrepancy Pimcore is an open source data & experience management platform. A flaw was found identifying it is possible to enumerate usernames via the forgot password functionality. |
Affected by 96 other vulnerabilities. |
|
VCID-bz3s-p33z-kqf2
Aliases: CVE-2022-1429 GHSA-2v7p-f4qm-r5pc |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection in `GridHelperService.php` in GitHub repository pimcore/pimcore prior to 10.3.6. |
Affected by 66 other vulnerabilities. |
|
VCID-c2j7-ywhr-3ff3
Aliases: CVE-2023-2630 GHSA-w766-3572-f2hv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-c5af-wpgt-dkep
Aliases: CVE-2023-2343 GHSA-9q7q-r54q-3f3g |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-cbx2-f95n-kqgd
Aliases: CVE-2023-4453 GHSA-599v-h3q5-g6r9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8. |
Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-cgzf-jppn-q7ff
Aliases: GHSA-rrwm-8wqm-gwgv GMS-2023-781 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pimcore/pimcore. |
Affected by 41 other vulnerabilities. |
|
VCID-d7zd-p4g6-ryd1
Aliases: CVE-2023-1515 GHSA-66cm-c7ch-5j8q |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 41 other vulnerabilities. |
|
VCID-de3u-8wqt-uyc2
Aliases: CVE-2023-38708 GHSA-34hj-v8fm-x887 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted. |
Affected by 8 other vulnerabilities. |
|
VCID-dhdb-wakw-pufe
Aliases: CVE-2023-5873 GHSA-j59v-hh4p-q92m |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0. |
Affected by 8 other vulnerabilities. |
|
VCID-drty-cbue-3kcv
Aliases: CVE-2023-2342 GHSA-2c67-p4xh-m34w |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-e11t-ywn5-v7gp
Aliases: CVE-2023-2322 GHSA-476g-v7hf-cw5m |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-f4vw-12f3-wfgb
Aliases: CVE-2026-27461 GHSA-vxg3-v4p6-f3fp |
Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Affected code in models/Dependency/Dao.php: - getFilterRequiresByPath() lines 90, 95, 100 - getFilterRequiredByPath() lines 148, 153, 158 All 6 locations use direct string concatenation like: "AND LOWER(CONCAT(o.path, o.key)) RLIKE '".$value."'" Note that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly `whitelist`-validated, but $value has zero sanitization. Entry points (pimcore/admin-ui-classic-bundle ElementController.php): - GET /admin/element/get-requires-dependencies (line 654) - GET /admin/element/get-required-by-dependencies (line 714) The controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping. PoC (time-based blind): |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-f5cg-bkw2-hqct
Aliases: CVE-2026-23493 GHSA-q433-j342-rp9h |
Pimcore ENV Variables and Cookie Informations are exposed in http_error_log The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-f7yk-9pys-t7dr
Aliases: CVE-2023-1703 GHSA-3r5c-h7g6-cqw7 GHSA-4f25-2x2c-vg6v |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20. |
Affected by 37 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-f92t-4uw8-67hh
Aliases: GHSA-cfcv-q4qq-2ph4 GMS-2021-117 |
CKEditor 4 vulnerabilities in versions <4.16.1 Details see: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc ( CVE-2021-37695 ) https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c ( CVE-2021-32808 ) https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg ( CVE-2021-32809 ) Patch: https://github.com/pimcore/pimcore/pull/10032 |
Affected by 99 other vulnerabilities. |
|
VCID-fhsn-akes-rqey
Aliases: CVE-2022-0911 GHSA-j29f-m23h-3p8p |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 74 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-fnz2-pbtj-43ak
Aliases: CVE-2023-2730 GHSA-q3p4-v2cm-q945 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3. |
Affected by 73 other vulnerabilities. |
|
VCID-fpuf-6uyn-hydv
Aliases: CVE-2022-0263 GHSA-c697-r227-pq6h |
Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore |
Affected by 86 other vulnerabilities. |
|
VCID-fvku-th2k-93d8
Aliases: GHSA-76r7-h46w-463r GMS-2023-363 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pimcore/pimcore. |
Affected by 59 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-gda3-s5cp-w7d4
Aliases: CVE-2022-1351 GHSA-xcr3-4qvr-54rh |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Stored XSS in Tooltip in GitHub repository pimcore/pimcore prior to 10.4. |
Affected by 66 other vulnerabilities. |
|
VCID-ggje-p3cm-fyhe
Aliases: CVE-2022-0262 GHSA-4f5x-q4jc-xfcf |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore |
Affected by 86 other vulnerabilities. |
|
VCID-gs48-295u-mqdt
Aliases: CVE-2023-1286 GHSA-8jv7-vwrc-mv4g |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 41 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-gs7u-m432-yqaw
Aliases: CVE-2023-0323 GHSA-6vf6-g3pr-j83h |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.14. |
Affected by 61 other vulnerabilities. |
|
VCID-hed9-c39j-87g2
Aliases: CVE-2023-3820 GHSA-c9hw-557q-f8hq |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 9 other vulnerabilities. |
|
VCID-hn1d-5fbq-cyc7
Aliases: CVE-2022-0509 GHSA-cg3h-rc9q-g8v9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore |
Affected by 74 other vulnerabilities. |
|
VCID-hvgj-5hjn-cbhb
Aliases: CVE-2022-0257 GHSA-v567-q267-phpg |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 83 other vulnerabilities. Affected by 83 other vulnerabilities. |
|
VCID-j5pq-ekja-jffv
Aliases: CVE-2022-0258 GHSA-vj9x-w7ch-f46p |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command |
Affected by 83 other vulnerabilities. Affected by 83 other vulnerabilities. |
|
VCID-j9qv-7wsq-mkf6
Aliases: CVE-2023-1701 GHSA-6mmf-qm37-pmgg GHSA-7r35-chv4-xr3r |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.20. |
Affected by 37 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-jgxx-v2wj-zkfh
Aliases: CVE-2023-2338 GHSA-4x35-vr82-xvj6 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-jx3r-bxmm-hfaw
Aliases: CVE-2023-1115 GHSA-97cp-8873-v2gf |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18. |
Affected by 54 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-jxr2-qjbz-17ha
Aliases: CVE-2023-2361 GHSA-9xg6-75mh-7x3f |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-m756-fmwt-dfbf
Aliases: CVE-2022-1339 GHSA-mj2c-5mjv-gmmj |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection in ElementController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data |
Affected by 68 other vulnerabilities. |
|
VCID-m9aa-5k15-dfap
Aliases: CVE-2023-30848 GHSA-6mhm-gcpf-5gr8 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually. |
Affected by 16 other vulnerabilities. |
|
VCID-mapb-drtt-rbez
Aliases: CVE-2023-30850 GHSA-jwg4-qcgv-5wg6 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.21, a SQL Injection vulnerability exists in the admin translations API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually. |
Affected by 16 other vulnerabilities. |
|
VCID-mcrd-q5wz-d7dk
Aliases: CVE-2023-3819 GHSA-r87r-982q-2c3q |
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 9 other vulnerabilities. |
|
VCID-mhz5-dnv5-6uas
Aliases: CVE-2022-3255 GHSA-wqr6-57qm-hhr5 |
Affected by 63 other vulnerabilities. |
|
|
VCID-mwu6-2hxd-efc2
Aliases: CVE-2023-30852 GHSA-j5c3-r84f-9596 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and `scripts` parameters. The `scriptPath` parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of `../` patterns to go out from the application webroot followed by path of the folder where the file is located in the "scriptPath" parameter and the file name in the "scripts" parameter. The JavaScript file is successfully read only if the web application has read access to it. Users should update to version 10.5.21 to receive a patch or, as a workaround, apply the patch manual. |
Affected by 16 other vulnerabilities. |
|
VCID-n6h3-gsty-sua2
Aliases: CVE-2023-30849 GHSA-xmg8-w465-mr56 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually. |
Affected by 16 other vulnerabilities. |
|
VCID-p7w5-8ynh-xuh4
Aliases: CVE-2023-1578 GHSA-42c3-wvww-gcqj |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 41 other vulnerabilities. |
|
VCID-paqt-sa9x-2qcm
Aliases: CVE-2022-0832 GHSA-6qcc-whgp-pjj2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3. |
Affected by 73 other vulnerabilities. |
|
VCID-pnn8-zfvf-wqcf
Aliases: CVE-2022-0256 GHSA-57hg-26h7-9qgv |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 83 other vulnerabilities. Affected by 83 other vulnerabilities. |
|
VCID-px53-r47y-tbds
Aliases: CVE-2022-0348 GHSA-8x44-pwr2-rgc6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A stored Cross-site Scripting (XSS) vulnrability was found in pimcore. |
Affected by 94 other vulnerabilities. Affected by 82 other vulnerabilities. |
|
VCID-q7xb-xff7-77cf
Aliases: CVE-2023-3822 GHSA-vmpv-qjhq-r463 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 9 other vulnerabilities. |
|
VCID-qbz4-eznm-e3hw
Aliases: CVE-2022-0665 GHSA-gjq4-69wj-p6pr |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2. |
Affected by 73 other vulnerabilities. |
|
VCID-qn3n-hpd2-7baf
Aliases: CVE-2023-28438 GHSA-vf7q-g2pv-jxvx |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually. |
Affected by 41 other vulnerabilities. |
|
VCID-qv8v-b5t4-jqb9
Aliases: CVE-2023-28106 GHSA-x5j3-mq9g-8jc8 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually. |
Affected by 41 other vulnerabilities. |
|
VCID-r34d-uefq-skam
Aliases: CVE-2021-39166 GHSA-w6j8-jc36-x5q9 |
Cross-site Scripting Text-values were not properly escaped before printed in the version preview. This allowed XSS by authenticated users with access to the resources. This issue is patched in Pimcore |
Affected by 97 other vulnerabilities. |
|
VCID-sbqb-c913-rqhb
Aliases: CVE-2022-0565 GHSA-h9vc-2p9g-63gp |
Cross-site Scripting in pimcore Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1. |
Affected by 74 other vulnerabilities. |
|
VCID-smn4-dvb2-u7hb
Aliases: CVE-2022-0260 GHSA-455w-gv5p-wgg3 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore |
Affected by 86 other vulnerabilities. Affected by 83 other vulnerabilities. |
|
VCID-t6ek-fzh4-mbdu
Aliases: GHSA-2xpm-cmvw-3jcc GMS-2023-779 |
Reflected XSS in Application Logger module ### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/pull/14606.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/14606.patch manually. ### References https://huntr.dev/bounties/2a64a32d-b1cc-4def-91da-18040d59f356/ |
Affected by 41 other vulnerabilities. |
|
VCID-tkcj-gar9-dbbh
Aliases: CVE-2023-1704 GHSA-hfmg-g39c-5444 GHSA-rp78-4562-gx3c |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.20. |
Affected by 37 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-trf7-n9zr-bubx
Aliases: CVE-2021-4082 GHSA-2v2v-fx7r-f2fh |
pimcore is vulnerable to Cross-Site Request Forgery (CSRF) |
Affected by 90 other vulnerabilities. |
|
VCID-tzjt-fdqe-s7ct
Aliases: CVE-2021-23405 GHSA-g8jx-66p8-vcm2 |
A SQL Injection flaw was found in the package pimcore/pimcore. This issue exists due to the absence of check on the `storeId` parameter in the method `collectionsActionGet` and `groupsActionGet` method within the `ClassificationstoreController` class. |
Affected by 101 other vulnerabilities. |
|
VCID-uaf3-v6zj-uuc3
Aliases: CVE-2026-23492 GHSA-qvr7-7g55-69xj |
Pimcore Has an Incomplete Patch for CVE-2023-30848 An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-ud81-gjp6-s3ac
Aliases: CVE-2023-23937 GHSA-8xv4-jj4h-qww6 GMS-2023-222 |
Duplicate This advisory duplicates another. |
Affected by 60 other vulnerabilities. |
|
VCID-ur7d-jx1z-kbet
Aliases: CVE-2023-30855 GHSA-g2mc-fqqc-hxg3 |
Relative Path Traversal in pimcore/pimcore. |
Affected by 54 other vulnerabilities. |
|
VCID-uukc-b952-zbgk
Aliases: CVE-2021-4081 GHSA-3p85-p4qg-hcrp |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 90 other vulnerabilities. |
|
VCID-uxdh-6r6k-h7fr
Aliases: CVE-2023-2615 GHSA-q7cc-m6jw-m262 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-v6d4-h4sz-4yad
Aliases: CVE-2023-2340 GHSA-g93x-fm2w-5pxw |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-v9ts-sd7r-gff2
Aliases: CVE-2022-0704 GHSA-pc32-x737-74cv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 74 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-w7q9-zspa-pfb7
Aliases: CVE-2021-4146 GHSA-54hw-mhgh-x4vc |
Business Logic Errors in GitHub repository pimcore/pimcore |
Affected by 90 other vulnerabilities. Affected by 83 other vulnerabilities. |
|
VCID-wdud-ckq4-wqfa
Aliases: CVE-2023-28429 GHSA-rcg9-hrhx-6q69 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 10.5.19 or, as a workaround, apply the patch manually. |
Affected by 41 other vulnerabilities. |
|
VCID-wura-bb97-rbg7
Aliases: CVE-2021-37702 GHSA-pp2h-95hm-hv9r |
Improper Neutralization of Formula Elements in a CSV File Pimcore is an open source data & experience management platform., Data Object CSV import allows formular injection. The problem is patched Aside from upgrading, one may apply the patch manually as a workaround. |
Affected by 99 other vulnerabilities. |
|
VCID-wzbf-bazj-4kgy
Aliases: CVE-2023-3821 GHSA-78q2-cv3p-x9fm |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 9 other vulnerabilities. |
|
VCID-x7pr-fcen-r7d5
Aliases: CVE-2021-4139 GHSA-8xx9-rxrj-2m2w |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 86 other vulnerabilities. |
|
VCID-xa87-8qgt-t7az
Aliases: CVE-2022-0894 GHSA-22hc-47cc-7x6f |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 74 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-xfwh-3838-j7ct
Aliases: CVE-2023-47637 GHSA-72hh-xf79-429p |
Cross-Site Request Forgery (CSRF) Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 8 other vulnerabilities. |
|
VCID-xgwg-8q8s-cbfk
Aliases: CVE-2023-3673 GHSA-rxp5-qwrf-pfv3 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24. |
Affected by 13 other vulnerabilities. |
|
VCID-y92e-mb7u-sueg
Aliases: CVE-2023-2328 GHSA-2295-vh28-pphc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
|
VCID-yah4-88g3-37ak
Aliases: CVE-2023-1067 GHSA-f2jh-mf2c-8278 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18. |
Affected by 54 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-ycet-r6tz-yyhn
Aliases: CVE-2023-28108 GHSA-xc9p-r5qj-8xm9 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually. |
Affected by 41 other vulnerabilities. |
|
VCID-zbp5-8ec3-gfe4
Aliases: CVE-2023-2984 GHSA-46g3-f9r8-xj4v |
Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22. |
Affected by 15 other vulnerabilities. |
|
VCID-zth5-afz8-uya7
Aliases: CVE-2023-2341 GHSA-fq95-rx4q-qgg2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 16 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||