Kingjia90

**Name of the Vulnerable Software and Affected Versions** pimcore/pimcore versions prior to 10.6.4 pimcore/pimcore version 10.6.4 is not affected, the fixed version is 10.6.5 **Description** The issue is related to SQL injection in the pimcore/pimcore GitHub repository. This is due to a lack of protection measures for the SQL query structure. An attacker can exploit this issue to conduct SQL injection attacks remotely. Using SQL exploitation tools, such as sqlmap, an attacker can enumerate all information in the database, alter data, or perform a denial of service on the backend database. **Recommendations** For pimcore/pimcore versions prior to 10.6.4, update to version 10.6.5 to resolve the issue. As a temporary workaround, apply the patch manually from https://github.com/pimcore/pimcore/commit/e641968979d4a2377bbea5e2a76bdede040d0b97.patch to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** pimcore/customer-data-framework versions prior to 3.4.1 **Description** The product performs authorization checks incorrectly, allowing an unauthorized actor to access resources or perform actions. This enables the attacker to view and freely add, modify, or delete rules. **Recommendations** For versions prior to 3.4.1, update to version 3.4.1 or apply the patch manually from https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch.

**Name of the Vulnerable Software and Affected Versions** pimcore versions prior to 10.3.3 **Description** The issue is related to stored Cross-site Scripting (XSS) in the GitHub repository pimcore/pimcore. Specifically, it affects the `Title field` in the `SEO & Settings` tab of `Document`. This allows for malicious scripts to be stored and executed when a user accesses the affected page. **Recommendations** For versions prior to 10.3.3, update to version 10.3.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `Title field` in the `SEO & Settings` tab of `Document` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** No specific software name is mentioned, but based on the information provided, the affected software is likely a web application. Since the affected versions are not explicitly mentioned, the output will be: Web application (affected versions not specified) **Description** If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. The attacker can perform any action within the application that the user can perform, view any information that the user is able to view, modify any information that the user is able to modify, and initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pimcore/pimcore versions prior to 10.3.3 **Description** The issue is related to stored Cross-site Scripting (XSS) in the GitHub repository pimcore/pimcore. This type of attack occurs when an application stores user input that contains malicious scripts, which are then executed by the application, allowing an attacker to perform unauthorized actions. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 10.3.3, update to version 10.3.3 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of stored XSS attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** pimcore/pimcore versions prior to 10.3.2 **Description** The issue concerns a path traversal problem in the pimcore/pimcore GitHub repository. Specifically, the application fails to check or filter the value of the `importFile` parameter at the "/admin/translation/import" endpoint. This allows for potential file deletion using the PHP unlink function after API execution. **Recommendations** For versions prior to 10.3.2, update to version 10.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/translation/import" endpoint until a patch is available. Avoid using the `importFile` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** pimcore/pimcore versions prior to 10.3.1 **Description** The issue concerns Exposure of Sensitive Information to an Unauthorized Actor. There is also a mention of Cross-site Scripting. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 10.3.1, update to version 10.3.1 or later to resolve the issue.