CVE-2021-23340

Name of the Vulnerable Software and Affected Versions pimcore/pimcore versions prior to 6.8.8

Description A Local File Inclusion issue exists in the downloadCsvAction function of the CustomReportController class. This can be reached by an authenticated user through a GET request at the endpoint "/admin/reports/custom-report/download-csv?exportFile=filename". The exportFile variable is not sanitized, allowing an attacker to exploit this issue.

Recommendations For versions prior to 6.8.8, update to version 6.8.8 or later to resolve the issue. As a temporary workaround, consider disabling the downloadCsvAction function in the CustomReportController class until a patch is available. Restrict access to the /admin/reports/custom-report/download-csv endpoint to minimize the risk of exploitation. Avoid using the exportFile variable in the affected API endpoint until the issue is resolved.