high
7.5
CWE
22 89
Advisory Published
CVE Published
Updated

CVE-2023-30855: Pimcore Path Traversal Vulnerability in AdminBundle/Controller/Reports/CustomReportController.php

First published: Tue May 02 2023(Updated: )

### Impact The impact of this path traversal and arbitrary extension is limited (creation of arbitrary files and appending data to existing files) but when combined with the SQL Injection, the exported data `RESTRICTED DIFFUSION 9 / 9` can be controlled and a webshell can be uploaded. Attackers can use that to execute arbitrary PHP code on the server with the permissions of the webserver. ### Patches Update to version 10.5.18 or apply this patch manually https://github.com/pimcore/pimcore/commit/7f788fa44bc18bc1c9182c25e26b770a1d30b62f.patch ### Workarounds Apply patch https://github.com/pimcore/pimcore/commit/7f788fa44bc18bc1c9182c25e26b770a1d30b62f.patch manually. ### References https://github.com/pimcore/pimcore/pull/14498

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Pimcore Pimcore<10.5.18
composer/pimcore/pimcore<10.5.18
10.5.18

Remedy

https://github.com/pimcore/pimcore/commit/f1d904094700b513c4756904fa2b1e19d08d890e.patch

Remedy

https://github.com/pimcore/pimcore/pull/14498

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-30855?

    CVE-2023-30855 is a path traversal vulnerability in Pimcore, an open source data and experience management platform, that allows an attacker to create arbitrary files and append data to existing files.

  • What is the severity of CVE-2023-30855?

    CVE-2023-30855 has a severity rating of 7.5 (high).

  • How does CVE-2023-30855 impact Pimcore?

    CVE-2023-30855 allows an attacker to perform path traversal and create arbitrary files or append data to existing files in Pimcore.

  • Which versions of Pimcore are affected by CVE-2023-30855?

    Versions of Pimcore prior to 10.5.18 are affected by CVE-2023-30855.

  • How can I fix CVE-2023-30855?

    To fix CVE-2023-30855, update your Pimcore installation to version 10.5.18 or later.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203