Search for packages
| purl | pkg:composer/pimcore/pimcore@5.0.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-13m1-u59p-eue5
Aliases: CVE-2023-1517 GHSA-42x8-2v53-pqmj |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 34 other vulnerabilities. |
|
VCID-1hqj-r197-dyfe
Aliases: CVE-2023-2983 GHSA-m4mv-rmr7-h5f5 |
Privilege Defined With Unsafe Actions in GitHub repository pimcore/pimcore prior to 10.5.23. |
Affected by 7 other vulnerabilities. |
|
VCID-1r65-1mjp-23gr
Aliases: CVE-2022-0285 GHSA-pm3v-qxf6-fgxv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored XSS in Packagist pimcore/pimcore. |
Affected by 76 other vulnerabilities. |
|
VCID-1w28-9z15-4qck
Aliases: CVE-2021-4084 GHSA-8w3x-r6x7-c5r5 |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 83 other vulnerabilities. |
|
VCID-295b-zzh8-q3h3
Aliases: CVE-2022-0705 GHSA-xmq3-hgjx-6997 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 67 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-2jc7-hjcd-3qfb
Aliases: CVE-2022-0893 GHSA-g795-4hxx-qqwm |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 67 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-2u9x-hqp2-77g6
Aliases: CVE-2022-0251 GHSA-f7q6-xxph-mfm8 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A stored Cross-site Scripting (XSS) vulnerability was found in pimcore. |
Affected by 87 other vulnerabilities. Affected by 75 other vulnerabilities. |
|
VCID-354d-zv99-73g6
Aliases: CVE-2023-1312 GHSA-gh4g-65f6-84g5 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 34 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-3dv8-wfjd-53dg
Aliases: CVE-2018-14058 GHSA-q4hw-c66h-4xqc |
Pimcore allows SQL Injection via the REST web service API. |
Affected by 104 other vulnerabilities. |
|
VCID-3et6-gmgj-h7bn
Aliases: CVE-2023-2327 GHSA-x9xj-pqmv-8jf7 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-3ref-crmy-eucd
Aliases: CVE-2023-1702 GHSA-69fc-v223-6rjw GHSA-6qjm-39vh-729w |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20. |
Affected by 30 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-3xpj-x3xh-7ub9
Aliases: CVE-2022-3211 GHSA-4849-x3jx-45qr |
Affected by 57 other vulnerabilities. |
|
|
VCID-4dk6-cfer-t7b5
Aliases: CVE-2023-2614 GHSA-m6m9-gr85-79vm |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-4p8y-eknc-zfgn
Aliases: CVE-2023-1117 GHSA-qxcw-rf4v-hp26 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18. |
Affected by 47 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-55g4-28a9-u7dc
Aliases: CVE-2021-39170 GHSA-2v88-qq7x-xq5f |
Cross-site Scripting Pimcore is an open source data & experience management platform. An authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore As a workaround, users may apply the patch manually. |
Affected by 90 other vulnerabilities. |
|
VCID-5qj5-vh6d-7khq
Aliases: CVE-2023-2332 GHSA-r7mm-jx6h-hv7m |
Cross-site Scripting (XSS) in Conditions tab of Pricing Rules This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. |
Affected by 9 other vulnerabilities. |
|
VCID-5tz5-h4wq-3qfy
Aliases: CVE-2023-2323 GHSA-cjv6-w5hf-5wr6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-6ph4-dkvv-eybx
Aliases: CVE-2019-18985 GHSA-hf62-5vxh-jpwj |
Affected by 99 other vulnerabilities. |
|
|
VCID-6w41-7cfk-j7cn
Aliases: CVE-2023-2616 GHSA-mhpj-7m7h-8p6x |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-7w3s-bvdz-bfht
Aliases: CVE-2022-1219 GHSA-6gm7-j668-w6h9 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection in RecyclebinController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data |
Affected by 61 other vulnerabilities. |
|
VCID-81mh-qb4b-n7a8
Aliases: CVE-2023-1247 GHSA-8wg7-88cg-7p9j |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 11.0.0. |
Affected by 1 other vulnerability. |
|
VCID-84sb-282p-abb6
Aliases: CVE-2022-39365 GHSA-5qxq-vgmm-q39m |
Affected by 55 other vulnerabilities. |
|
|
VCID-8t1x-kdp9-jkag
Aliases: CVE-2022-2796 GHSA-pr4f-4pcx-2r3h |
Affected by 58 other vulnerabilities. |
|
|
VCID-93rb-sj45-w3fh
Aliases: CVE-2023-1429 GHSA-3223-w774-99fq |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 34 other vulnerabilities. |
|
VCID-979q-g8dh-1fgw
Aliases: CVE-2023-2336 GHSA-hg77-vx9v-f49x |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-97te-6pwk-bbb4
Aliases: CVE-2022-0510 GHSA-mxh3-2699-98g9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore |
Affected by 67 other vulnerabilities. |
|
VCID-9m1k-bypd-zber
Aliases: CVE-2023-1116 GHSA-96hp-38wx-j3wc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18. |
Affected by 47 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-9ra4-dac9-7qba
Aliases: CVE-2023-2339 GHSA-6fvf-x8c6-2f6j |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-a9e8-ky44-s3gc
Aliases: CVE-2022-0831 GHSA-q67f-3jq4-mww2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3. |
Affected by 66 other vulnerabilities. |
|
VCID-bexg-r2xt-6ycy
Aliases: CVE-2021-39189 GHSA-579x-cjvr-cqj9 |
Information Exposure Through Discrepancy Pimcore is an open source data & experience management platform. A flaw was found identifying it is possible to enumerate usernames via the forgot password functionality. |
Affected by 89 other vulnerabilities. |
|
VCID-bz3s-p33z-kqf2
Aliases: CVE-2022-1429 GHSA-2v7p-f4qm-r5pc |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection in `GridHelperService.php` in GitHub repository pimcore/pimcore prior to 10.3.6. |
Affected by 59 other vulnerabilities. |
|
VCID-c2j7-ywhr-3ff3
Aliases: CVE-2023-2630 GHSA-w766-3572-f2hv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-c5af-wpgt-dkep
Aliases: CVE-2023-2343 GHSA-9q7q-r54q-3f3g |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-cbx2-f95n-kqgd
Aliases: CVE-2023-4453 GHSA-599v-h3q5-g6r9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8. |
Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-cgzf-jppn-q7ff
Aliases: GHSA-rrwm-8wqm-gwgv GMS-2023-781 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pimcore/pimcore. |
Affected by 34 other vulnerabilities. |
|
VCID-d6ep-hreb-gqfg
Aliases: CVE-2019-10867 GHSA-7hqr-j26m-gmwp |
Deserialization of Untrusted Data An attacker with classes permission can send a POST request to `/admin/class/bulk-commit`, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to `bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php`. |
Affected by 101 other vulnerabilities. |
|
VCID-d7zd-p4g6-ryd1
Aliases: CVE-2023-1515 GHSA-66cm-c7ch-5j8q |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 34 other vulnerabilities. |
|
VCID-de3u-8wqt-uyc2
Aliases: CVE-2023-38708 GHSA-34hj-v8fm-x887 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted. |
Affected by 1 other vulnerability. |
|
VCID-dr21-xtsw-f3b8
Aliases: CVE-2020-26246 GHSA-7p8p-4253-3mg6 |
Affected by 96 other vulnerabilities. |
|
|
VCID-drty-cbue-3kcv
Aliases: CVE-2023-2342 GHSA-2c67-p4xh-m34w |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-e11t-ywn5-v7gp
Aliases: CVE-2023-2322 GHSA-476g-v7hf-cw5m |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-f7yk-9pys-t7dr
Aliases: CVE-2023-1703 GHSA-3r5c-h7g6-cqw7 GHSA-4f25-2x2c-vg6v |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20. |
Affected by 30 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-f92t-4uw8-67hh
Aliases: GHSA-cfcv-q4qq-2ph4 GMS-2021-117 |
CKEditor 4 vulnerabilities in versions <4.16.1 Details see: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc ( CVE-2021-37695 ) https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c ( CVE-2021-32808 ) https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg ( CVE-2021-32809 ) Patch: https://github.com/pimcore/pimcore/pull/10032 |
Affected by 92 other vulnerabilities. |
|
VCID-fb1z-259v-g7hp
Aliases: CVE-2019-18986 GHSA-8889-9g3f-73rj |
Affected by 99 other vulnerabilities. |
|
|
VCID-fhsn-akes-rqey
Aliases: CVE-2022-0911 GHSA-j29f-m23h-3p8p |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 67 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-fnz2-pbtj-43ak
Aliases: CVE-2023-2730 GHSA-q3p4-v2cm-q945 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3. |
Affected by 66 other vulnerabilities. |
|
VCID-fpuf-6uyn-hydv
Aliases: CVE-2022-0263 GHSA-c697-r227-pq6h |
Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore |
Affected by 79 other vulnerabilities. |
|
VCID-fvku-th2k-93d8
Aliases: GHSA-76r7-h46w-463r GMS-2023-363 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pimcore/pimcore. |
Affected by 52 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-gda3-s5cp-w7d4
Aliases: CVE-2022-1351 GHSA-xcr3-4qvr-54rh |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Stored XSS in Tooltip in GitHub repository pimcore/pimcore prior to 10.4. |
Affected by 59 other vulnerabilities. |
|
VCID-ggje-p3cm-fyhe
Aliases: CVE-2022-0262 GHSA-4f5x-q4jc-xfcf |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore |
Affected by 79 other vulnerabilities. |
|
VCID-gs48-295u-mqdt
Aliases: CVE-2023-1286 GHSA-8jv7-vwrc-mv4g |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 34 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-gs7u-m432-yqaw
Aliases: CVE-2023-0323 GHSA-6vf6-g3pr-j83h |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.14. |
Affected by 54 other vulnerabilities. |
|
VCID-hed9-c39j-87g2
Aliases: CVE-2023-3820 GHSA-c9hw-557q-f8hq |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 2 other vulnerabilities. |
|
VCID-hn1d-5fbq-cyc7
Aliases: CVE-2022-0509 GHSA-cg3h-rc9q-g8v9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore |
Affected by 67 other vulnerabilities. |
|
VCID-hvgj-5hjn-cbhb
Aliases: CVE-2022-0257 GHSA-v567-q267-phpg |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 76 other vulnerabilities. Affected by 76 other vulnerabilities. |
|
VCID-j5pq-ekja-jffv
Aliases: CVE-2022-0258 GHSA-vj9x-w7ch-f46p |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command |
Affected by 76 other vulnerabilities. Affected by 76 other vulnerabilities. |
|
VCID-j9qv-7wsq-mkf6
Aliases: CVE-2023-1701 GHSA-6mmf-qm37-pmgg GHSA-7r35-chv4-xr3r |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.20. |
Affected by 30 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-jgxx-v2wj-zkfh
Aliases: CVE-2023-2338 GHSA-4x35-vr82-xvj6 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-jx3r-bxmm-hfaw
Aliases: CVE-2023-1115 GHSA-97cp-8873-v2gf |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18. |
Affected by 47 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-jxr2-qjbz-17ha
Aliases: CVE-2023-2361 GHSA-9xg6-75mh-7x3f |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-m455-2tct-dugb
Aliases: CVE-2019-16317 GHSA-352x-hc2f-fwff |
Affected by 101 other vulnerabilities. |
|
|
VCID-m756-fmwt-dfbf
Aliases: CVE-2022-1339 GHSA-mj2c-5mjv-gmmj |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection in ElementController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data |
Affected by 61 other vulnerabilities. |
|
VCID-m9aa-5k15-dfap
Aliases: CVE-2023-30848 GHSA-6mhm-gcpf-5gr8 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually. |
Affected by 9 other vulnerabilities. |
|
VCID-mapb-drtt-rbez
Aliases: CVE-2023-30850 GHSA-jwg4-qcgv-5wg6 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.21, a SQL Injection vulnerability exists in the admin translations API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually. |
Affected by 9 other vulnerabilities. |
|
VCID-mcrd-q5wz-d7dk
Aliases: CVE-2023-3819 GHSA-r87r-982q-2c3q |
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 2 other vulnerabilities. |
|
VCID-mhz5-dnv5-6uas
Aliases: CVE-2022-3255 GHSA-wqr6-57qm-hhr5 |
Affected by 56 other vulnerabilities. |
|
|
VCID-mwu6-2hxd-efc2
Aliases: CVE-2023-30852 GHSA-j5c3-r84f-9596 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and `scripts` parameters. The `scriptPath` parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of `../` patterns to go out from the application webroot followed by path of the folder where the file is located in the "scriptPath" parameter and the file name in the "scripts" parameter. The JavaScript file is successfully read only if the web application has read access to it. Users should update to version 10.5.21 to receive a patch or, as a workaround, apply the patch manual. |
Affected by 9 other vulnerabilities. |
|
VCID-n6h3-gsty-sua2
Aliases: CVE-2023-30849 GHSA-xmg8-w465-mr56 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually. |
Affected by 9 other vulnerabilities. |
|
VCID-p7w5-8ynh-xuh4
Aliases: CVE-2023-1578 GHSA-42c3-wvww-gcqj |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19. |
Affected by 34 other vulnerabilities. |
|
VCID-paqt-sa9x-2qcm
Aliases: CVE-2022-0832 GHSA-6qcc-whgp-pjj2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3. |
Affected by 66 other vulnerabilities. |
|
VCID-pnn8-zfvf-wqcf
Aliases: CVE-2022-0256 GHSA-57hg-26h7-9qgv |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 76 other vulnerabilities. Affected by 76 other vulnerabilities. |
|
VCID-px53-r47y-tbds
Aliases: CVE-2022-0348 GHSA-8x44-pwr2-rgc6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A stored Cross-site Scripting (XSS) vulnrability was found in pimcore. |
Affected by 87 other vulnerabilities. Affected by 75 other vulnerabilities. |
|
VCID-q7xb-xff7-77cf
Aliases: CVE-2023-3822 GHSA-vmpv-qjhq-r463 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 2 other vulnerabilities. |
|
VCID-qbz4-eznm-e3hw
Aliases: CVE-2022-0665 GHSA-gjq4-69wj-p6pr |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2. |
Affected by 66 other vulnerabilities. |
|
VCID-qn3n-hpd2-7baf
Aliases: CVE-2023-28438 GHSA-vf7q-g2pv-jxvx |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually. |
Affected by 34 other vulnerabilities. |
|
VCID-qv8v-b5t4-jqb9
Aliases: CVE-2023-28106 GHSA-x5j3-mq9g-8jc8 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually. |
Affected by 34 other vulnerabilities. |
|
VCID-r34d-uefq-skam
Aliases: CVE-2021-39166 GHSA-w6j8-jc36-x5q9 |
Cross-site Scripting Text-values were not properly escaped before printed in the version preview. This allowed XSS by authenticated users with access to the resources. This issue is patched in Pimcore |
Affected by 90 other vulnerabilities. |
|
VCID-sbqb-c913-rqhb
Aliases: CVE-2022-0565 GHSA-h9vc-2p9g-63gp |
Cross-site Scripting in pimcore Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1. |
Affected by 67 other vulnerabilities. |
|
VCID-sccv-pzyk-cka7
Aliases: CVE-2019-18981 GHSA-jhcf-j4hg-v64r |
Affected by 99 other vulnerabilities. |
|
|
VCID-smn4-dvb2-u7hb
Aliases: CVE-2022-0260 GHSA-455w-gv5p-wgg3 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore |
Affected by 79 other vulnerabilities. Affected by 76 other vulnerabilities. |
|
VCID-t6ek-fzh4-mbdu
Aliases: GHSA-2xpm-cmvw-3jcc GMS-2023-779 |
Reflected XSS in Application Logger module ### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/pull/14606.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/14606.patch manually. ### References https://huntr.dev/bounties/2a64a32d-b1cc-4def-91da-18040d59f356/ |
Affected by 34 other vulnerabilities. |
|
VCID-tgph-d6zp-vbdc
Aliases: CVE-2018-14059 GHSA-276r-24xq-hwg8 |
Cross-site Scripting Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions. |
Affected by 104 other vulnerabilities. |
|
VCID-tkcj-gar9-dbbh
Aliases: CVE-2023-1704 GHSA-hfmg-g39c-5444 GHSA-rp78-4562-gx3c |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.20. |
Affected by 30 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-tpk1-5fw2-pfgc
Aliases: CVE-2019-10763 GHSA-fpff-384j-vxq7 |
Affected by 97 other vulnerabilities. |
|
|
VCID-trf7-n9zr-bubx
Aliases: CVE-2021-4082 GHSA-2v2v-fx7r-f2fh |
pimcore is vulnerable to Cross-Site Request Forgery (CSRF) |
Affected by 83 other vulnerabilities. |
|
VCID-tzjt-fdqe-s7ct
Aliases: CVE-2021-23405 GHSA-g8jx-66p8-vcm2 |
A SQL Injection flaw was found in the package pimcore/pimcore. This issue exists due to the absence of check on the `storeId` parameter in the method `collectionsActionGet` and `groupsActionGet` method within the `ClassificationstoreController` class. |
Affected by 94 other vulnerabilities. |
|
VCID-u8cu-sdg9-4qae
Aliases: CVE-2018-14057 GHSA-gmff-vcv6-mmfr |
Cross-Site Request Forgery (CSRF) Pimcore allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the `X-pimcore-csrf-token`. |
Affected by 104 other vulnerabilities. |
|
VCID-ud81-gjp6-s3ac
Aliases: CVE-2023-23937 GHSA-8xv4-jj4h-qww6 GMS-2023-222 |
Duplicate This advisory duplicates another. |
Affected by 53 other vulnerabilities. |
|
VCID-ur7d-jx1z-kbet
Aliases: CVE-2023-30855 GHSA-g2mc-fqqc-hxg3 |
Relative Path Traversal in pimcore/pimcore. |
Affected by 47 other vulnerabilities. |
|
VCID-uukc-b952-zbgk
Aliases: CVE-2021-4081 GHSA-3p85-p4qg-hcrp |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 83 other vulnerabilities. |
|
VCID-uxdh-6r6k-h7fr
Aliases: CVE-2023-2615 GHSA-q7cc-m6jw-m262 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-v6d4-h4sz-4yad
Aliases: CVE-2023-2340 GHSA-g93x-fm2w-5pxw |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-v9ts-sd7r-gff2
Aliases: CVE-2022-0704 GHSA-pc32-x737-74cv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 67 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-w7q9-zspa-pfb7
Aliases: CVE-2021-4146 GHSA-54hw-mhgh-x4vc |
Business Logic Errors in GitHub repository pimcore/pimcore |
Affected by 83 other vulnerabilities. Affected by 76 other vulnerabilities. |
|
VCID-wdud-ckq4-wqfa
Aliases: CVE-2023-28429 GHSA-rcg9-hrhx-6q69 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 10.5.19 or, as a workaround, apply the patch manually. |
Affected by 34 other vulnerabilities. |
|
VCID-wura-bb97-rbg7
Aliases: CVE-2021-37702 GHSA-pp2h-95hm-hv9r |
Improper Neutralization of Formula Elements in a CSV File Pimcore is an open source data & experience management platform., Data Object CSV import allows formular injection. The problem is patched Aside from upgrading, one may apply the patch manually as a workaround. |
Affected by 92 other vulnerabilities. |
|
VCID-wzbf-bazj-4kgy
Aliases: CVE-2023-3821 GHSA-78q2-cv3p-x9fm |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4. |
Affected by 2 other vulnerabilities. |
|
VCID-x7pr-fcen-r7d5
Aliases: CVE-2021-4139 GHSA-8xx9-rxrj-2m2w |
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 79 other vulnerabilities. |
|
VCID-xa87-8qgt-t7az
Aliases: CVE-2022-0894 GHSA-22hc-47cc-7x6f |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. |
Affected by 67 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-xgwg-8q8s-cbfk
Aliases: CVE-2023-3673 GHSA-rxp5-qwrf-pfv3 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24. |
Affected by 6 other vulnerabilities. |
|
VCID-y92e-mb7u-sueg
Aliases: CVE-2023-2328 GHSA-2295-vh28-pphc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
|
VCID-yah4-88g3-37ak
Aliases: CVE-2023-1067 GHSA-f2jh-mf2c-8278 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18. |
Affected by 47 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-ycet-r6tz-yyhn
Aliases: CVE-2023-28108 GHSA-xc9p-r5qj-8xm9 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually. |
Affected by 34 other vulnerabilities. |
|
VCID-ypfe-fdqf-cfcn
Aliases: CVE-2021-23340 GHSA-h7f9-cvh5-qw7f |
Affected by 95 other vulnerabilities. |
|
|
VCID-z739-9aw2-83gp
Aliases: CVE-2019-16318 GHSA-cxj7-4jpj-2q38 |
Affected by 101 other vulnerabilities. |
|
|
VCID-zbp5-8ec3-gfe4
Aliases: CVE-2023-2984 GHSA-46g3-f9r8-xj4v |
Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22. |
Affected by 8 other vulnerabilities. |
|
VCID-zth5-afz8-uya7
Aliases: CVE-2023-2341 GHSA-fq95-rx4q-qgg2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21. |
Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||