CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3819 – Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3819
21 Jul 2023 — Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4. • https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.3EPSS: 28%CPEs: 1EXPL: 1CVE-2023-3673 – SQL Injection in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3673
14 Jul 2023 — SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24. • https://github.com/pimcore/pimcore/commit/a06ce0abdba19ae0eefc38b035e677f8f0c2bce9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37280 – Pimcore admin UI vulnerable to Cross-site Scripting in two factor authentication setup page
https://notcve.org/view.php?id=CVE-2023-37280
11 Jul 2023 — Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This vulnerability has been patched in version 1.0.3. • https://github.com/pimcore/admin-ui-classic-bundle/commit/5fcd19bdc89a3fe4cb8ad8c356590e1e4740c743 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3574 – Improper Authorization in pimcore/customer-data-framework
https://notcve.org/view.php?id=CVE-2023-3574
10 Jul 2023 — Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1. • https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45 • CWE-285: Improper Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2983 – Privilege Defined With Unsafe Actions in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-2983
30 May 2023 — Privilege Defined With Unsafe Actions in GitHub repository pimcore/pimcore prior to 10.5.23. • https://github.com/pimcore/pimcore/commit/c8f37b19c99cd82e4e558857d3e4d5476ea7228a • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-2984 – Path Traversal: '\..\filename' in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-2984
30 May 2023 — Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22. • https://github.com/pimcore/pimcore/commit/e8dbc4da58ae86618bceb67ed35ce23e5e54d2ed • CWE-29: Path Traversal: '\..\filename' •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2881 – Storing Passwords in a Recoverable Format in pimcore/customer-data-framework
https://notcve.org/view.php?id=CVE-2023-2881
25 May 2023 — Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10. • https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6 • CWE-257: Storing Passwords in a Recoverable Format CWE-522: Insufficiently Protected Credentials •
CVSS: 8.3EPSS: 10%CPEs: 1EXPL: 1CVE-2023-2756 – SQL Injection in pimcore/customer-data-framework
https://notcve.org/view.php?id=CVE-2023-2756
17 May 2023 — SQL Injection in GitHub repository pimcore/customer-data-framework prior to 3.3.10. • https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2730 – Cross-site Scripting (XSS) - Stored in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-2730
16 May 2023 — Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3. • https://github.com/pimcore/pimcore/commit/8ab06bfbb5a05a1b190731d9c7476ec45f5ee878 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-32075 – Pimcore vulnerable to Business Logic Errors in Customer automation rules
https://notcve.org/view.php?id=CVE-2023-32075
11 May 2023 — The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually. • https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch • CWE-20: Improper Input Validation •