Cyber Resilience

CVE-2023-3673

HighPublic PoC

Published: 14 July 2023

Published
14 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1137 93.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3673 is a high-severity SQL Injection (CWE-89) vulnerability in Pimcore Pimcore. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-3673 is a SQL injection vulnerability (CWE-89) affecting the Pimcore open-source platform prior to version 10.5.24. The flaw resides in the application's handling of database queries and carries a CVSS 3.1 base score of 7.2, reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability when successfully exploited.

An authenticated attacker with administrative privileges can supply crafted input that alters intended SQL statements, enabling arbitrary data access, modification, or deletion within the underlying database. Because the vulnerability requires high privileges and no user interaction, exploitation is limited to insiders or compromised administrator accounts but can result in complete compromise of the application's data layer.

Public references point to a specific patch commit that resolves the issue and to the original huntr.dev bounty report that disclosed it. Administrators are advised to upgrade Pimcore to 10.5.24 or later to eliminate the injection vector.

The associated EPSS score has remained flat at 0.1137 with no material increase since disclosure, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pimcore
pimcore
≤ 10.5.24

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References