Thestr4Ng3R

**Name of the Vulnerable Software and Affected Versions** Pimcore versions prior to 11.1.1 **Description** The issue allows backend users with basic permissions to execute arbitrary SQL statements by passing input directly into an SQL statement through the `/admin/object/grid-proxy` endpoint. This is due to the `getFilterCondition()` function, specifically in the `Multiselect` implementation, not normalizing, escaping, or validating the passed value. As a result, any backend user can alter data or escalate their privileges to at least admin level. There are no known workarounds for this issue. **Recommendations** For versions prior to 11.1.1, update to version 11.1.1 to resolve the issue. As a temporary workaround, consider restricting access to the `/admin/object/grid-proxy` endpoint and the `Multiselect` field to minimize the risk of exploitation. Avoid using the `filter` parameter in the affected API endpoint until the issue is resolved.