Vulnerabilities > Pimcore > Pimcore > 5.6.6

DATE CVE VULNERABILITY TITLE RISK
2019-11-15 CVE-2019-18981 Inappropriate Encoding for Output Context vulnerability in Pimcore
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
network
low complexity
pimcore CWE-838
7.5
2019-09-14 CVE-2019-16318 Unrestricted Upload of File with Dangerous Type vulnerability in Pimcore
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
network
low complexity
pimcore CWE-434
6.5
2019-09-14 CVE-2019-16317 Deserialization of Untrusted Data vulnerability in Pimcore
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.
network
low complexity
pimcore CWE-502
6.5
2019-04-04 CVE-2019-10867 Deserialization of Untrusted Data vulnerability in Pimcore
An issue was discovered in Pimcore before 5.7.1.
network
low complexity
pimcore CWE-502
6.5