Pimcore: Security Vulnerabilities
Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.
CVSS Score
4.3
EPSS Score
0.0
Published
2023-10-30
Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0.
CVSS Score
6.1
EPSS Score
0.0
Published
2023-09-27
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. This issue has been patched in commit `abd77392` which is included in release 1.1.2. Users are advised to update to version 1.1.2 or apply the patch manually.
CVSS Score
5.4
EPSS Score
0.0
Published
2023-09-25
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8.
CVSS Score
6.4
EPSS Score
0.0
Published
2023-08-21
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite.
The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted.
CVSS Score
6.3
EPSS Score
0.0
Published
2023-08-04
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2.
CVSS Score
6.5
EPSS Score
0.0
Published
2023-08-03
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4.
CVSS Score
7.6
EPSS Score
0.0
Published
2023-07-21
SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4.
CVSS Score
7.2
EPSS Score
0.412
Published
2023-07-21
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4.
CVSS Score
6.1
EPSS Score
0.0
Published
2023-07-21
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4.
CVSS Score
6.0
EPSS Score
0.11
Published
2023-07-21