CVE-2023-3673
Published: 14 July 2023
Summary
CVE-2023-3673 is a high-severity SQL Injection (CWE-89) vulnerability in Pimcore Pimcore. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-3673 is a SQL injection vulnerability (CWE-89) affecting the Pimcore open-source platform prior to version 10.5.24. The flaw resides in the application's handling of database queries and carries a CVSS 3.1 base score of 7.2, reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability when successfully exploited.
An authenticated attacker with administrative privileges can supply crafted input that alters intended SQL statements, enabling arbitrary data access, modification, or deletion within the underlying database. Because the vulnerability requires high privileges and no user interaction, exploitation is limited to insiders or compromised administrator accounts but can result in complete compromise of the application's data layer.
Public references point to a specific patch commit that resolves the issue and to the original huntr.dev bounty report that disclosed it. Administrators are advised to upgrade Pimcore to 10.5.24 or later to eliminate the injection vector.
The associated EPSS score has remained flat at 0.1137 with no material increase since disclosure, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2143
Vulnerability details
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.