Pimcore Security Vulnerabilities (CVEs)

This SQL injection vulnerability in Pimcore allows authenticated admin users to extract the entire database, including password hashes of other admin ...

Pimcore versions before 12.3.1 and 11.5.14 store sensitive information like database passwords and session cookies in the http_error_log file, which c...

This CVE describes an authorization bypass vulnerability in Pimcore's API endpoint for static routes. Authenticated backend users without proper permi...

This vulnerability allows authenticated backend users without proper permissions to access the complete list of Predefined Properties configurations i...

This CVE describes an authorization bypass vulnerability in Pimcore Web2Print Tools Bundle. Authenticated backend users without proper permissions can...

This CVE describes a blind SQL injection vulnerability in Pimcore's Admin Search Find API that affects authenticated users. Attackers can infer databa...

This SQL injection vulnerability in Pimcore allows authenticated users to craft malicious filter strings that can execute arbitrary SQL commands. The ...

This vulnerability in pimcore/admin-ui-classic-bundle allows attackers to enumerate valid user accounts via the 'Forgot password' function due to impr...

This critical SQL injection vulnerability in Pimcore Customer Data Framework allows remote attackers to execute arbitrary SQL commands via the filterD...

This vulnerability in Pimcore's Admin Classic Bundle exposes sensitive system information to authenticated users. By accessing the /admin/index/statis...

This CVE describes a Host Header Injection vulnerability in Pimcore's Admin Classic Bundle that allows attackers to manipulate invitation email links....

This vulnerability in Pimcore's Admin Classic Bundle allows attackers to perform account takeover by manipulating password reset emails. Attackers can...

This vulnerability in Pimcore's Admin Classic Bundle disables two-factor authentication for non-admin security firewalls, allowing authenticated users...

This is a SQL injection vulnerability in Pimcore's admin interface that allows authenticated backend users with basic permissions to execute arbitrary...

This vulnerability allows unauthenticated attackers to change passwords for any user account in Pimcore's admin-ui-classic-bundle without verification...

CVE-2023-3820 is an SQL injection vulnerability in Pimcore's data object grid feature that allows attackers to execute arbitrary SQL commands. This af...

This CVE describes a SQL injection vulnerability in Pimcore CMS versions prior to 10.5.24. Attackers can inject malicious SQL queries through user-con...

This vulnerability in Pimcore allows attackers to perform unsafe actions due to improperly defined privileges, potentially leading to privilege escala...

This vulnerability allows CSV formula injection attacks in Pimcore Customer Data Framework. Attackers can embed malicious formulas in CSV files that e...

CVE-2023-30850 is a SQL injection vulnerability in Pimcore's admin translations API that allows authenticated attackers to execute arbitrary SQL comma...

CVE-2023-30848 is a SQL injection vulnerability in Pimcore's admin search find API that allows attackers to execute arbitrary SQL commands. This affec...

CVE-2023-2338 is an SQL injection vulnerability in Pimcore's data management system that allows attackers to execute arbitrary SQL commands through cr...

This CVE describes a cross-site scripting (XSS) vulnerability in Pimcore, an open-source content management platform. Attackers can inject malicious s...

This stored cross-site scripting (XSS) vulnerability in Pimcore allows attackers to inject malicious scripts into web pages that are then executed whe...

This CVE-2023-28438 is a SQL injection vulnerability in Pimcore's reporting feature that allows authenticated users with 'report' permission to execut...

This CVE describes an SQL injection vulnerability in Pimcore, an open-source content management platform. Attackers can inject malicious SQL queries t...

This CVE describes an SQL injection vulnerability in Pimcore's UUID DAO model where improper quoting allows SQL injection if developers use affected m...

CVE-2023-25240 is an improper SameSite attribute vulnerability in pimCore v10.5.15 that allows attackers to bypass SameSite cookie restrictions, poten...

This vulnerability allows authenticated users to bypass file upload validation in Pimcore by adding a fake GIF signature to malicious files. Attackers...

CVE-2022-31092 is an SQL injection vulnerability in Pimcore's listing classes where improper quoting of order/group columns allows SQL injection when ...

This is a cross-site scripting (XSS) vulnerability in Pimcore's web interface that allows attackers to inject malicious scripts into web pages viewed ...

This vulnerability allows attackers to upload malicious files to Pimcore systems due to insufficient file type validation. It affects all Pimcore inst...

CVE-2021-39170 is a stored cross-site scripting (XSS) vulnerability in Pimcore that allows authenticated users to inject malicious scripts into asset ...

This is a SQL injection vulnerability in Pimcore's ClassificationstoreController that allows attackers to execute arbitrary SQL commands. It affects P...