Josh Foote

**Name of the Vulnerable Software and Affected Versions** pimcore versions prior to build 3473 **Description** The issue allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the `dir` parameter to "admin/asset/add-asset-compatibility". **Recommendations** For versions prior to build 3473, update to build 3473 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** pimcore versions prior to build 3473 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `filter` parameter to the "admin/asset/grid-proxy" API endpoint. **Recommendations** For versions prior to build 3473, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the "admin/asset/grid-proxy" API endpoint to minimize the risk of exploitation. Avoid using the `filter` parameter in the affected API endpoint until the issue is resolved.