Vulnerability Description
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pimcore | Pimcore | < 10.5.19 |
Related Weaknesses (CWE)
References
- https://github.com/pimcore/pimcore/commit/08e7ba56ae983c3c67ec563b6989b16ef8f352Mailing ListPatch
- https://github.com/pimcore/pimcore/pull/14633Patch
- https://github.com/pimcore/pimcore/security/advisories/GHSA-xc9p-r5qj-8xm9PatchVendor Advisory
- https://github.com/pimcore/pimcore/commit/08e7ba56ae983c3c67ec563b6989b16ef8f352Mailing ListPatch
- https://github.com/pimcore/pimcore/pull/14633Patch
- https://github.com/pimcore/pimcore/security/advisories/GHSA-xc9p-r5qj-8xm9PatchVendor Advisory
FAQ
What is CVE-2023-28108?
CVE-2023-28108 is a vulnerability with a CVSS score of 7.9 (HIGH). Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL i...
How severe is CVE-2023-28108?
CVE-2023-28108 has been rated HIGH with a CVSS base score of 7.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28108?
Check the references section above for vendor advisories and patch information. Affected products include: Pimcore Pimcore.