Login Sign Up

CVE-2023-30850

8.8 HIGH
SQL Injection

📋 TL;DR

CVE-2023-30850 is a SQL injection vulnerability in Pimcore's admin translations API that allows authenticated attackers to execute arbitrary SQL commands. This affects Pimcore installations before version 10.5.21. Attackers could potentially read, modify, or delete database content.

💻 Affected Systems

Products:
  • Pimcore
Versions: All versions before 10.5.21
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to admin translations API endpoint.

📦 What is this software?

Pimcore by Pimcore

View all CVEs affecting Pimcore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized data access, data manipulation, or privilege escalation within the Pimcore application.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated admin access to the vulnerable API endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.5.21

Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-jwg4-qcgv-5wg6

Restart Required: Yes

Instructions:

1. Backup your Pimcore installation and database. 2. Update Pimcore to version 10.5.21 or later via composer: 'composer require pimcore/pimcore:^10.5.21'. 3. Clear cache and restart web server.

🔧 Temporary Workarounds

Manual patch application

all

Apply the security patch from GitHub commit without full upgrade

Apply patch from: https://github.com/pimcore/pimcore/commit/7e32cc28145274ddfc30fb791012d26c1278bd38.patch

🧯 If You Can't Patch

  • Restrict access to admin translations API endpoint using web application firewall rules
  • Implement additional input validation and parameterized queries for all SQL operations

🔍 How to Verify

Check if Vulnerable:

Check Pimcore version via admin interface or by examining composer.lock file for pimcore/pimcore version

Check Version:

composer show pimcore/pimcore | grep version

Verify Fix Applied:

Confirm version is 10.5.21 or later and verify patch files are present

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by admin translations API access
  • Unexpected database schema changes

Network Indicators:

  • Unusual traffic patterns to /admin/translations/* endpoints
  • SQL error messages in HTTP responses

SIEM Query:

source="web_server" AND (uri="/admin/translations/*" AND (status=500 OR response_size>10000))

📊 Metadata

CVE ID: CVE-2023-30850
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: April 27, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30850, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)