CVE-2024-23646

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-23646
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006 Issue Tracking
https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087 Issue Tracking
https://github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8 Patch
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2 Release Notes
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-cwx6-4wmf-c6xv Exploit Vendor Advisory
https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006 Issue Tracking
https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087 Issue Tracking
https://github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8 Patch
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2 Release Notes
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-cwx6-4wmf-c6xv Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*
History

No history.

Information

Published : 2024-01-24 20:15

Updated : 2024-11-21 08:58

NVD link : CVE-2024-23646

Mitre link : CVE-2024-23646

CVE.ORG link : CVE-2024-23646

JSON object : View

Products Affected

pimcore

  • admin_classic_bundle
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')