Vulnerabilities > Pimcore > High

DATE CVE VULNERABILITY TITLE RISK
2021-08-04 CVE-2021-31869 SQL Injection vulnerability in Pimcore Adminbundle
Pimcore AdminBundle version 6.8.0 and earlier suffers from a SQL injection issue in the specificID variable used by the application.
network
low complexity
pimcore CWE-89
7.5
7.5
2021-07-09 CVE-2021-23405 SQL Injection vulnerability in Pimcore
This affects the package pimcore/pimcore before 10.0.7.
network
low complexity
pimcore CWE-89
8.8
8.8
2021-02-18 CVE-2021-23340 Path Traversal vulnerability in Pimcore
This affects the package pimcore/pimcore before 6.8.8.
network
low complexity
pimcore CWE-22
7.1
7.1
2020-10-30 CVE-2020-7759 SQL Injection vulnerability in Pimcore
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController.
network
low complexity
pimcore CWE-89
7.2
7.2
2019-11-15 CVE-2019-18986 Improper Restriction of Excessive Authentication Attempts vulnerability in Pimcore
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
network
low complexity
pimcore CWE-307
7.5
7.5
2019-09-14 CVE-2019-16318 Unrestricted Upload of File with Dangerous Type vulnerability in Pimcore
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
network
low complexity
pimcore CWE-434
8.8
8.8
2019-09-14 CVE-2019-16317 Deserialization of Untrusted Data vulnerability in Pimcore
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.
network
low complexity
pimcore CWE-502
8.8
8.8
2019-04-04 CVE-2019-10867 Deserialization of Untrusted Data vulnerability in Pimcore
An issue was discovered in Pimcore before 5.7.1.
network
low complexity
pimcore CWE-502
8.8
8.8
2018-08-17 CVE-2018-14057 Cross-Site Request Forgery (CSRF) vulnerability in Pimcore
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
network
low complexity
pimcore CWE-352
8.8
8.8