CVE-2023-28438

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 10.5.19

Description Pimcore is an open source data and experience management platform. Since a user with 'report' permission can already write arbitrary SQL queries and given the fact that an endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. The impact of this issue is limited but when combined with SQL Injection, the exported data can be controlled and a webshell can be uploaded, allowing attackers to execute arbitrary PHP code on the server with the permissions of the webserver.

Recommendations For versions prior to 10.5.19, upgrade to version 10.5.19 to receive a patch. As a workaround, apply the patch manually. Restrict access to the endpoint using the GET method to minimize the risk of exploitation. Avoid using the report permission for users who do not need it until the issue is resolved.