CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3819 – Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3819
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4. • https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54 https://huntr.dev/bounties/be5e4d4c-1b0b-4c01-a1fc-00533135817c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3673 – SQL Injection in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3673
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24. • https://github.com/pimcore/pimcore/commit/a06ce0abdba19ae0eefc38b035e677f8f0c2bce9 https://huntr.dev/bounties/46ca0934-5260-477b-9e86-7b16bb18d0a9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37280 – Pimcore admin UI vulnerable to Cross-site Scripting in two factor authentication setup page
https://notcve.org/view.php?id=CVE-2023-37280
Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This vulnerability has been patched in version 1.0.3. • https://github.com/pimcore/admin-ui-classic-bundle/commit/5fcd19bdc89a3fe4cb8ad8c356590e1e4740c743 https://github.com/pimcore/admin-ui-classic-bundle/pull/147 https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-hqv9-6jqw-9g8m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3574 – Improper Authorization in pimcore/customer-data-framework
https://notcve.org/view.php?id=CVE-2023-3574
Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1. • https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45 https://huntr.dev/bounties/1dcb4f01-e668-4aa3-a6a3-838532e500c6 • CWE-285: Improper Authorization •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-2984 – Path Traversal: '\..\filename' in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-2984
Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22. • https://github.com/pimcore/pimcore/commit/e8dbc4da58ae86618bceb67ed35ce23e5e54d2ed https://huntr.dev/bounties/5df8b951-e2f1-4548-a7e3-601186e1b191 • CWE-29: Path Traversal: '\..\filename' •