SQL Injection in pimcore/pimcore

Valid

Reported on

Jan 9th 2022


Description

The storeId parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

Proof of Concept

  1. Add items to Classification Store: Key definition, Group,...

  2. Injection (boolean base):

https://demo.pimcore.fun/admin/classificationstore/properties?_dc=1639830472106&storeId=1))+and+((1=2&page=1&start=0&limit=25

Impact

A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data

We are processing your report and will contact the pimcore team within 24 hours. 5 months ago
We have contacted a member of the pimcore team and are waiting to hear back 5 months ago
We have sent a follow up to the pimcore team. We will try again in 7 days. 4 months ago
Bernhard Rusch validated this vulnerability 4 months ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch confirmed that a fix has been merged on 66281c 4 months ago
Bernhard Rusch has been awarded the fix bounty
to join this conversation