CVE-2023-47637
Published: 15 November 2023
Summary
CVE-2023-47637 is a high-severity SQL Injection (CWE-89) vulnerability in Pimcore Pimcore. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Pimcore, an open source data and experience management platform, is affected by a SQL injection vulnerability in the /admin/object/grid-proxy endpoint. The endpoint passes request input directly to getFilterCondition() implementations on class fields and then executes the returned SQL; the Multiselect field implementation performs no normalization, escaping, or validation of the supplied value, resulting in CWE-89 exposure.
Any authenticated backend user with basic permissions can exploit the flaw to execute arbitrary SQL statements, alter arbitrary data, or escalate privileges to at least administrator level. The attack requires no user interaction and can be performed over the network.
The issue was resolved in Pimcore 11.1.1; the project security advisory and associated commits on GitHub document the patch, and the maintainers state that no workarounds exist.
The EPSS score has remained elevated near its peak of 0.7713 with a current value of 0.7657.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2903
Vulnerability details
Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of…
more
`getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.