CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27617 – Pimcore Vulnerable to SQL Injection in getRelationFilterCondition
https://notcve.org/view.php?id=CVE-2025-27617
11 Mar 2025 — Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue. • https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24980 – User enumeration in pimcore/admin-ui-classic-bundle
https://notcve.org/view.php?id=CVE-2025-24980
07 Feb 2025 — pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-vr5f-php7-rg24 • CWE-204: Observable Response Discrepancy •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 1CVE-2024-11956 – Pimcore customer-data-framework list sql injection
https://notcve.org/view.php?id=CVE-2024-11956
28 Jan 2025 — A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/pimcore/customer-data-framework/releases/tag/v4.2.1 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2332 – Stored Cross-site Scripting (XSS) in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-2332
15 Nov 2024 — A stored Cross-site Scripting (XSS) vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.19. The vulnerability is present in the From and To fields of the Date Range section, allowing an attacker to inject malicious scripts. This can lead to the execution of arbitrary JavaScript code in the context of the user's browser, potentially stealing cookies or redirecting users to malicious sites. The issue is fixed in version 10.5.21. Existe una vulnerabilidad de Cross-site ... • https://github.com/pimcore/pimcore/commit/a4491551967d879141a3fdf0986a9dd3d891abfe • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49370 – Change-Password via Portal-Profile sets PimcoreBackendUser password without hashing
https://notcve.org/view.php?id=CVE-2024-49370
23 Oct 2024 — Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password. Prior to Pimcore portal engine versions 4.1.7 and 3.1.16, the password is then set without hashing so it can be read by everyone. Everyone who combines PortalUser to PimcoreUsers and change passwords via profile settings could be affected. Versions 4.1.7 and 3.1.16 of t... • https://github.com/pimcore/pimcore/security/advisories/GHSA-74p5-77rq-gfqc • CWE-256: Plaintext Storage of a Password •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41109 – Pimcore vulnerable to disclosure of system and database information behind /admin firewall
https://notcve.org/view.php?id=CVE-2024-41109
30 Jul 2024 — Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to `/admin/index/statistics` with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system. This vulnerability is fixed in 1.5.2, 1.4.6, and 1.3.10. • https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-32871 – Pimcore Vulnerable to Flooding Server with Thumbnail files
https://notcve.org/view.php?id=CVE-2024-32871
04 Jun 2024 — Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4. Pimcore es una plataforma de gestión de experiencias y datos de código abierto. • https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29197 – Pimcore Preview Documents are not restricted to logged in users anymore
https://notcve.org/view.php?id=CVE-2024-29197
26 Mar 2024 — Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. • https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25625 – Pimcore Host Header Injection in user invitation link
https://notcve.org/view.php?id=CVE-2024-25625
19 Feb 2024 — Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input. The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/... • https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24822 – Pimcore Admin Classic Bundle permissions are not getting checked when working with tags
https://notcve.org/view.php?id=CVE-2024-24822
07 Feb 2024 — Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually. El paquete Admin Classic de Pimcore proporciona una interfaz de usuario backend para Pimcore. • https://github.com/pimcore/admin-ui-classic-bundle/commit/24660b6d5ad9cbcb037a48d4309a6024e9adf251 • CWE-862: Missing Authorization •