Pimcore: >> Pimcore >> 5.6.3 Security Vulnerabilities
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVSS Score
8.8
EPSS Score
0.0
Published
2019-09-14
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.
CVSS Score
8.8
EPSS Score
0.535
Published
2019-04-04
Page 11