Cyber Resilience

CVE-2023-47637

HighPublic PoC

Published: 15 November 2023

Published
15 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7657 99.0th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-47637 is a high-severity SQL Injection (CWE-89) vulnerability in Pimcore Pimcore. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Pimcore, an open source data and experience management platform, is affected by a SQL injection vulnerability in the /admin/object/grid-proxy endpoint. The endpoint passes request input directly to getFilterCondition() implementations on class fields and then executes the returned SQL; the Multiselect field implementation performs no normalization, escaping, or validation of the supplied value, resulting in CWE-89 exposure.

Any authenticated backend user with basic permissions can exploit the flaw to execute arbitrary SQL statements, alter arbitrary data, or escalate privileges to at least administrator level. The attack requires no user interaction and can be performed over the network.

The issue was resolved in Pimcore 11.1.1; the project security advisory and associated commits on GitHub document the patch, and the maintainers state that no workarounds exist.

The EPSS score has remained elevated near its peak of 0.7713 with a current value of 0.7657.

EU & UK References

Vulnerability details

Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of…

more

`getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pimcore
pimcore
≤ 11.1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References