Vulnerabilities > Pimcore > Pimcore > 5.2.2
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-11-15 | CVE-2019-18981 | Inappropriate Encoding for Output Context vulnerability in Pimcore Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification. | 7.5 |
| 2019-09-14 | CVE-2019-16318 | Unrestricted Upload of File with Dangerous Type vulnerability in Pimcore In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317. | 6.5 |
| 2019-09-14 | CVE-2019-16317 | Deserialization of Untrusted Data vulnerability in Pimcore In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318. | 6.5 |
| 2019-04-04 | CVE-2019-10867 | Deserialization of Untrusted Data vulnerability in Pimcore An issue was discovered in Pimcore before 5.7.1. | 6.5 |
| 2018-08-24 | CVE-2018-14059 | Cross-site Scripting vulnerability in Pimcore Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions. | 3.5 |
| 2018-08-17 | CVE-2018-14058 | SQL Injection vulnerability in Pimcore Pimcore before 5.3.0 allows SQL Injection via the REST web service API. | 4.0 |
| 2018-08-17 | CVE-2018-14057 | Cross-Site Request Forgery (CSRF) vulnerability in Pimcore Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function. | 6.8 |