CVE-2020-7759

Name of the Vulnerable Software and Affected Versions pimcore/pimcore versions 6.7.2 through 6.8.3

Description The issue affects the data classification functionality in ClassificationstoreController, allowing for SQL Injection. This can be exploited by sending a specifically-crafted input in the relationIds parameter. For example, a request to "/admin/classificationstore/relations" with a manipulated relationIds parameter can demonstrate this exploit.

Recommendations For versions 6.7.2 through 6.8.3, as a temporary workaround, consider restricting access to the ClassificationstoreController or disabling the relationIds parameter in the "/admin/classificationstore/relations" endpoint until a patch is available. Avoid using the relationIds parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.