CVE-2023-28438: Pimcore vulnerable to improper quoting of filters in Custom Reports
First published: Wed Mar 22 2023(Updated: )
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pimcore Pimcore | <10.5.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-28438?
CVE-2023-28438 is a vulnerability in Pimcore that allows an attacker with 'report' permission to inject arbitrary SQL queries.
How does CVE-2023-28438 affect Pimcore?
CVE-2023-28438 affects Pimcore versions up to and excluding 10.5.19.
What is the severity of CVE-2023-28438?
CVE-2023-28438 has a high severity rating of 8 out of 10.
How can an attacker exploit CVE-2023-28438?
An attacker can exploit CVE-2023-28438 by injecting arbitrary SQL queries through the GET method without CSRF protection.
Is there a fix for CVE-2023-28438?
Yes, the fix for CVE-2023-28438 is included in version 10.5.19 of Pimcore.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/references
- agent/last-modified-date
- agent/severity
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/pimcore
- canonical/pimcore pimcore