Highbrusch

**Name of the Vulnerable Software and Affected Versions** Pimcore versions prior to 10.4.4 **Description** Pimcore is an Open Source Data & Experience Management Platform that offers developers listing classes to make querying data easier. These listing classes allow ordering or grouping results based on one or more columns, which should be quoted by default. However, quoting is not done properly, allowing the theoretical possibility to inject custom SQL if the developer uses these methods with input data and does not perform proper input validation in advance, relying on auto-quoting by the listing classes. **Recommendations** For versions prior to 10.4.4, upgrade to version 10.4.4 or apply the patch manually to resolve the issue. As a temporary workaround, consider validating all input data before using it with the listing classes to minimize the risk of exploitation. Restrict access to the `setOrderKey` and `setGroupBy` methods to prevent unauthorized use until the issue is resolved. Avoid using user-provided input for the `orderBy` and `groupBy` parameters in the affected API endpoints until the issue is resolved.