Login Sign Up

CVE-2023-28438

6.2 MEDIUM
SQL Injection CSRF

📋 TL;DR

This CVE-2023-28438 is a SQL injection vulnerability in Pimcore's reporting feature that allows authenticated users with 'report' permission to execute arbitrary SQL queries via CSRF attacks. Attackers can exploit this by tricking users into clicking malicious links, potentially leading to data manipulation or exfiltration. All Pimcore installations prior to version 10.5.19 are affected.

💻 Affected Systems

Products:
  • Pimcore
Versions: All versions prior to 10.5.19
Operating Systems: All platforms running Pimcore
Default Config Vulnerable: ⚠️ Yes
Notes: Requires at least one user with 'report' permission to be present in the system.

📦 What is this software?

Pimcore by Pimcore

View all CVEs affecting Pimcore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion, and potential privilege escalation to administrative access.

🟠

Likely Case

Unauthorized data access and manipulation within the database, potentially exposing sensitive information stored in Pimcore.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal user privileges, though SQL injection could still affect accessible data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user with 'report' permission and social engineering to click malicious link.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.5.19

Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-vf7q-g2pv-jxvx

Restart Required: Yes

Instructions:

1. Backup your Pimcore installation and database. 2. Update Pimcore to version 10.5.19 via composer: 'composer require pimcore/pimcore:10.5.19'. 3. Clear cache: 'bin/console cache:clear'. 4. Restart your web server.

🔧 Temporary Workarounds

Manual patch application

all

Apply the security patch manually without upgrading the entire version

Apply the patch from: https://github.com/pimcore/pimcore/commit/d1abadb181c88ebaa4bce1916f9077469d4ea2bc.patch

🧯 If You Can't Patch

  • Remove 'report' permission from all non-essential users to limit attack surface
  • Implement strict input validation and parameterized queries for all custom reporting functionality

🔍 How to Verify

Check if Vulnerable:

Check Pimcore version via admin dashboard or run: 'composer show pimcore/pimcore | grep version'

Check Version:

composer show pimcore/pimcore | grep version

Verify Fix Applied:

Confirm version is 10.5.19 or higher and verify the reporting endpoint now uses POST method with CSRF protection

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs from reporting endpoints
  • Multiple failed login attempts followed by report permission usage

Network Indicators:

  • GET requests to reporting endpoints with SQL-like parameters
  • Unusual database traffic patterns

SIEM Query:

source="web_logs" AND uri="/admin/reporting/*" AND (method="GET" OR params CONTAINS "SELECT" OR params CONTAINS "UNION")

📊 Metadata

CVE ID: CVE-2023-28438
CVSS v3 Score: 6.2 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
CWE: CWE-89
Published: March 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28438, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)