CVE-2023-30850

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 10.5.21

Description Pimcore is an open source data and experience management platform. A SQL Injection issue exists in the admin translations API, allowing an attacker to interfere with database queries, potentially viewing, modifying, or deleting data. The API endpoint is accessible by an authenticated administrator user and is vulnerable to SQL injection via the filter POST parameter, specifically through the property key in the JSON formatted data, which is not properly sanitized. This could lead to persistent changes in the application's content or behavior and potentially compromise the underlying server.

Recommendations For versions prior to 10.5.21, update to version 10.5.21 to receive a patch. As a temporary workaround, consider applying the patch manually. Restrict access to the admin translations API endpoint to minimize the risk of exploitation. Avoid using the filter parameter in the affected API endpoint until the issue is resolved.