CVE-2023-38708 – Pimcore Path Traversal Vulnerability in AssetController:importServerFilesAction
https://notcve.org/view.php?id=CVE-2023-38708
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted. • https://github.com/pimcore/pimcore/commit/58012d0e3b8b926fb54eccbd64ec5c993b30c22c https://github.com/pimcore/pimcore/security/advisories/GHSA-34hj-v8fm-x887 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-3822 – Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3822
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4. • https://github.com/pimcore/pimcore/commit/d75888a9b14baaad591548463cca09dfd1395236 https://huntr.dev/bounties/2a3a13fe-2a9a-4d1a-8814-fd8ed1e3b1d5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-3821 – Cross-site Scripting (XSS) - Stored in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3821
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4. • https://github.com/pimcore/pimcore/commit/92811f07d39e4ad95c92003868f5f7309489d79c https://huntr.dev/bounties/599ba4f6-c900-4161-9127-f1e6a6e29aaa • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-3820 – SQL Injection in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3820
SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4. • https://github.com/pimcore/pimcore/commit/e641968979d4a2377bbea5e2a76bdede040d0b97 https://huntr.dev/bounties/b00a38b6-d040-494d-bf46-38f46ac1a1db • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-3819 – Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3819
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4. • https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54 https://huntr.dev/bounties/be5e4d4c-1b0b-4c01-a1fc-00533135817c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •