CVE-2023-30848

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 10.5.21

Description The issue is related to a SQL injection vulnerability in the admin search find API. This vulnerability allows an attacker to interfere with the queries that the application makes to its database, potentially viewing data they are not normally able to retrieve, modifying or deleting data, and causing persistent changes to the application's content or behavior. The vulnerability is accessible via the "fields[]" GET parameter in the API endpoint, which is not sanitized properly and is used in a SQL statement in an unsafe manner.

Recommendations For versions prior to 10.5.21, update to version 10.5.21 to receive a patch. As a temporary workaround, apply the patch manually. Restrict access to the vulnerable API endpoint until the issue is resolved. Avoid using the fields[] parameter in the affected API endpoint until the issue is resolved.