CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 4CVE-2018-14057 – Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-14057
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function. Pimcore en versiones anteriores a la 5.3.0 permite que los atacantes remotos realicen ataques Cross-Site Request Forgery (CSRF) utilizando la validación del token anti-CSRF X-pimcore-csrf-token solo en la función "Settings > Users / Roles". Pimcore versions 5.2.3 and below suffer from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/45208 http://packetstormsecurity.com/files/148954/Pimcore-5.2.3-CSRF-Cross-Site-Scripting-SQL-Injection.html http://seclists.org/fulldisclosure/2018/Aug/13 https://www.sec-consult.com/en/blog/advisories/sql-injection-xss-csrf-vulnerabilities-in-pimcore-software • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 4CVE-2018-14058 – Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-14058
Pimcore before 5.3.0 allows SQL Injection via the REST web service API. Pimcore en versiones anteriores a la 5.3.0 permite la inyección SQL mediante la API REST de servicio web. Pimcore versions 5.2.3 and below suffer from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/45208 http://packetstormsecurity.com/files/148954/Pimcore-5.2.3-CSRF-Cross-Site-Scripting-SQL-Injection.html http://seclists.org/fulldisclosure/2018/Aug/13 https://www.sec-consult.com/en/blog/advisories/sql-injection-xss-csrf-vulnerabilities-in-pimcore-software • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 4CVE-2018-14059 – Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-14059
Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions. Pimcore permite Cross-Site Scripting (XSS) mediante las funciones Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value y Static Routes. Pimcore versions 5.2.3 and below suffer from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/45208 http://packetstormsecurity.com/files/148954/Pimcore-5.2.3-CSRF-Cross-Site-Scripting-SQL-Injection.html http://seclists.org/fulldisclosure/2018/Aug/13 https://www.sec-consult.com/en/blog/advisories/sql-injection-xss-csrf-vulnerabilities-in-pimcore-software • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2015-4426 – Pimcore CMS Build 3450 SQL Injection
https://notcve.org/view.php?id=CVE-2015-4426
SQL injection vulnerability in pimcore before build 3473 allows remote attackers to execute arbitrary SQL commands via the filter parameter to admin/asset/grid-proxy. Vulnerabilidad de inyección SQL en pimcore en versiones anteriores a build 3473, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro filter a admin/asset/grid-proxy. Pimcore CMS build 3450 suffers from a remote SQL injection vulnerability. • http://seclists.org/fulldisclosure/2015/Jul/58 http://www.securityfocus.com/bid/75724 https://github.com/pimcore/pimcore/commit/1c6692e8287deed7f3356b6a1e2e9b7fe4e858dd https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-4426 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.9EPSS: 3%CPEs: 1EXPL: 2CVE-2015-4425 – Pimcore CMS Build 3450 - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-4425
Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility. Vulnerabilidad de salto de directorio en pimcore en versiones anteriores a build 3473, permite a usuarios remotos autenticados con el permiso 'assets' crear o escribir archivos arbitrarios a través de un .. (punto punto) en el parámetro dir a admin/asset/add-asset-compatibility. • https://www.exploit-db.com/exploits/37609 http://seclists.org/fulldisclosure/2015/Jul/57 https://github.com/pimcore/pimcore/commit/4f2a95f877d406a054f9f2253475fe58c76aa03d https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-4425 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •