VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-qn3n-hpd2-7baf

Essentials
Severities (16)
References (7)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-qn3n-hpd2-7baf
Aliases	CVE-2023-28438 GHSA-vf7q-g2pv-jxvx
Summary	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00023	https://api.first.org/data/v1/epss?cve=CVE-2023-28438
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-vf7q-g2pv-jxvx
cvssv3.1	6.2	https://github.com/pimcore/pimcore
generic_textual	MODERATE	https://github.com/pimcore/pimcore
cvssv3.1	6.2	https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch
generic_textual	MODERATE	https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch
ssvc	Track	https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch
cvssv3.1	6.2	https://github.com/pimcore/pimcore/pull/14526
generic_textual	MODERATE	https://github.com/pimcore/pimcore/pull/14526
ssvc	Track	https://github.com/pimcore/pimcore/pull/14526
cvssv3.1	6.2	https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx
cvssv3.1_qr	MODERATE	https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx
generic_textual	MODERATE	https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx
ssvc	Track	https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx
cvssv3.1	6.2	https://nvd.nist.gov/vuln/detail/CVE-2023-28438
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-28438

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-28438
		https://github.com/pimcore/pimcore
		https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch
		https://github.com/pimcore/pimcore/pull/14526
CVE-2023-28438		https://nvd.nist.gov/vuln/detail/CVE-2023-28438
GHSA-vf7q-g2pv-jxvx		https://github.com/advisories/GHSA-vf7q-g2pv-jxvx
GHSA-vf7q-g2pv-jxvx		https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N Found at https://github.com/pimcore/pimcore

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N Found at https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:28:17Z/ Found at https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N Found at https://github.com/pimcore/pimcore/pull/14526

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:28:17Z/ Found at https://github.com/pimcore/pimcore/pull/14526

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N Found at https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:28:17Z/ Found at https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-28438

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.06824
EPSS Score	0.00023
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T21:00:03.289966+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/pimcore/pimcore/CVE-2023-28438.yml	38.6.0