CVE-2023-38708

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 10.6.7

Description A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore log parameter. This can lead to potential denial of service due to key file overwrite. The impact of this vulnerability allows attackers to overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. It could also cause a denial of service (DoS) if critical system files are overwritten or deleted.

Recommendations Update to version 10.6.7 or apply the patch manually to address the vulnerability. As a temporary workaround, consider restricting access to the AssetController::importServerFilesAction function until a patch is applied. Avoid using the pimcore log parameter in the affected API endpoint until the issue is resolved.