CVE-2023-2336

Name of the Vulnerable Software and Affected Versions pimcore/pimcore versions prior to 10.5.21

Description The issue allows an authenticated attacker to abuse import-server-files with a path traversal to download an arbitrary file from the server. This can result in the exposure of confidential information, which can be used to launch further attacks or compromise the system. An arbitrary file read vulnerability enables an attacker to read files on the server that they should not have access to, potentially including sensitive files such as configuration files, user data, and credentials.

Recommendations Update to version 10.5.21 or apply the patch manually to resolve the issue. As a temporary workaround, consider restricting access to the import-server-files functionality until a patch is applied.