CVE-2023-30849

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 10.5.21

Description A SQL injection vulnerability exists in the translation export API, allowing an attacker to interfere with the queries that the application makes to its database. This can enable an attacker to view data that they are not normally able to retrieve, modify or delete this data, causing persistent changes to the application's content or behavior. The vulnerability is accessible via the "filter" GET parameter in a specific API endpoint, where the value of the JSON key property inside filter is not sanitized properly and is used in a SQL statement in an unsafe manner.

Recommendations Update to version 10.5.21 to receive a patch. As a temporary workaround, apply the patch manually to fix the SQL injection vulnerability in the translation export API. Restrict access to the vulnerable API endpoint until the issue is resolved. Avoid using the property key inside the filter parameter in the affected API endpoint until the issue is resolved.