CVE-2023-3820

Name of the Vulnerable Software and Affected Versions pimcore/pimcore versions prior to 10.6.4 pimcore/pimcore version 10.6.4 is not affected, the fixed version is 10.6.5

Description The issue is related to SQL injection in the pimcore/pimcore GitHub repository. This is due to a lack of protection measures for the SQL query structure. An attacker can exploit this issue to conduct SQL injection attacks remotely. Using SQL exploitation tools, such as sqlmap, an attacker can enumerate all information in the database, alter data, or perform a denial of service on the backend database.

Recommendations For pimcore/pimcore versions prior to 10.6.4, update to version 10.6.5 to resolve the issue. As a temporary workaround, apply the patch manually from https://github.com/pimcore/pimcore/commit/e641968979d4a2377bbea5e2a76bdede040d0b97.patch to mitigate the risk of exploitation.