CVE-2024-23646

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-23646
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23646.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-23646
Aliases
Related
Published
2024-01-24T20:15:53Z
Modified
2025-07-02T00:30:48.703734Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter selectedIds is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue.

References

Affected packages

Git / github.com/pimcore/admin-ui-classic-bundle

Affected ranges

Type
GIT
Repo
https://github.com/pimcore/admin-ui-classic-bundle
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v1.*

v1.0.0
v1.0.0-BETA1
v1.0.0-RC1
v1.0.0-RC2
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.1.0
v1.1.0-RC1
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.2.0
v1.2.0-RC1
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.0-RC1
v1.3.1