CVE-2023-30855

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-30855

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30855.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-30855

Aliases

GHSA-g2mc-fqqc-hxg3

Published

2023-05-08T18:15:14Z

Modified

2024-05-14T12:54:28.254388Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Pimcore is an open source data and experience management platform. Versions of Pimcore prior to 10.5.18 are vulnerable to path traversal. The impact of this path traversal and arbitrary extension is limited to creation of arbitrary files and appending data to existing files. When combined with the SQL Injection, the exported data RESTRICTED DIFFUSION 9 / 9 can be controlled and a webshell can be uploaded. Attackers can use that to execute arbitrary PHP code on the server with the permissions of the webserver. Users may upgrade to version 10.5.18 to receive a patch or, as a workaround, apply the patch manually.

References

Affected packages

Git / github.com/pimcore/pimcore

Affected ranges

Type: GIT
Repo: https://github.com/pimcore/pimcore
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f1d904094700b513c4756904fa2b1e19d08d890e

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.3.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.1.0

3.1.1

4.*

4.0.0

4.0.1

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.3.0

4.3.1

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

v10.*

v10.0.0

v10.0.0-BETA1

v10.0.0-BETA2

v10.0.0-BETA3

v10.0.0-BETA4

v10.0.1

v10.0.2

v10.0.3

v10.0.4

v10.0.5

v10.0.6

v10.0.7

v10.0.8

v10.0.9

v10.1.0

v10.1.1

v10.1.2

v10.1.3

v10.1.4

v10.1.5

v10.2.0

v10.2.1

v10.2.10

v10.2.2

v10.2.3

v10.2.4

v10.2.5

v10.2.6

v10.2.7

v10.2.8

v10.2.9

v10.3.0

v10.3.1

v10.3.2

v10.3.3

v10.3.4

v10.3.5

v10.3.6

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.5.0

v10.5.1

v10.5.10

v10.5.11

v10.5.12

v10.5.13

v10.5.14

v10.5.15

v10.5.16

v10.5.17

v10.5.18

v10.5.19

v10.5.2

v10.5.20

v10.5.3

v10.5.4

v10.5.5

v10.5.6

v10.5.7

v10.5.8

v10.5.9

v5.*

v5.0.0

v5.0.0-RC

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.1.0

v5.1.0-alpha

v5.1.1

v5.1.2

v5.1.3

v5.2.0

v5.2.3

v5.3.0

v5.3.1

v5.4.0

v5.4.1

v5.4.2

v5.4.3

v5.4.4

v5.5.0

v5.5.1

v5.5.2

v5.5.3

v5.5.4

v5.6.0

v5.6.1

v5.6.2

v5.6.3

v5.6.4

v5.6.5

v5.6.6

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.8.0

v5.8.1

v5.8.2

v5.8.3

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.1.0

v6.1.1

v6.1.2

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.4.0

v6.4.1

v6.4.2

v6.5.0

v6.5.1

v6.5.2

v6.5.3

v6.6.0

v6.6.1

v6.6.10

v6.6.11

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7.0

v6.7.1

v6.7.2

v6.7.3

v6.8.0

v6.8.1

v6.8.10

v6.8.11

v6.8.12

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

v6.8.8

v6.8.9

v6.9.0

v6.9.1

v6.9.2

v6.9.3

v6.9.4

v6.9.5

v6.9.6