Wkania

**Name of the Vulnerable Software and Affected Versions** Pimcore's Admin Classic Bundle versions prior to 1.3.2 **Description** The application allows users to create zip files from available files on the site. The parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. **Recommendations** For versions prior to 1.3.2, update to version 1.3.2 to resolve the issue. As a temporary workaround, consider adding the following code to escape parameters: ``` foreach ($selectedIds as $selectedId) { if ($selectedId) { $quotedSelectedIds[] = $db->quote($selectedId); } } ``` Restrict access to the `downloadAsZipAddFilesAction` endpoint to minimize the risk of exploitation. Avoid using the parameter `selectedIds` in the affected API endpoint until the issue is resolved.