Vulnerabilities > Pimcore > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-30 | CVE-2020-7759 | SQL Injection vulnerability in Pimcore The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. | 6.5 |
| 2019-11-18 | CVE-2019-10763 | SQL Injection vulnerability in Pimcore pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. | 4.0 |
| 2019-11-15 | CVE-2019-18986 | Improper Restriction of Excessive Authentication Attempts vulnerability in Pimcore Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users. | 5.0 |
| 2019-11-15 | CVE-2019-18985 | Improper Restriction of Excessive Authentication Attempts vulnerability in Pimcore Pimcore before 6.2.2 lacks brute force protection for the 2FA token. | 5.0 |
| 2019-11-15 | CVE-2019-18982 | Cross-site Scripting vulnerability in Pimcore bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header. | 4.3 |
| 2019-10-31 | CVE-2019-18656 | Cross-site Scripting vulnerability in Pimcore 6.2.3 Pimcore 6.2.3 has XSS in the translations grid because bundles/AdminBundle/Resources/public/js/pimcore/settings/translations.js mishandles certain HTML elements. | 4.3 |
| 2019-09-14 | CVE-2019-16318 | Unrestricted Upload of File with Dangerous Type vulnerability in Pimcore In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317. | 6.5 |
| 2019-09-14 | CVE-2019-16317 | Deserialization of Untrusted Data vulnerability in Pimcore In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318. | 6.5 |
| 2019-04-04 | CVE-2019-10867 | Deserialization of Untrusted Data vulnerability in Pimcore An issue was discovered in Pimcore before 5.7.1. | 6.5 |
| 2018-08-17 | CVE-2018-14058 | SQL Injection vulnerability in Pimcore Pimcore before 5.3.0 allows SQL Injection via the REST web service API. | 4.0 |