CVE-2023-47637

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 11.1.1

Description The issue allows backend users with basic permissions to execute arbitrary SQL statements by passing input directly into an SQL statement through the /admin/object/grid-proxy endpoint. This is due to the getFilterCondition() function, specifically in the Multiselect implementation, not normalizing, escaping, or validating the passed value. As a result, any backend user can alter data or escalate their privileges to at least admin level. There are no known workarounds for this issue.

Recommendations For versions prior to 11.1.1, update to version 11.1.1 to resolve the issue. As a temporary workaround, consider restricting access to the /admin/object/grid-proxy endpoint and the Multiselect field to minimize the risk of exploitation. Avoid using the filter parameter in the affected API endpoint until the issue is resolved.