SQL injection in ElementController.php in pimcore/pimcore


Reported on

Apr 8th 2022


The property parameter is append to the sql query directly, which leads to a sql injection problem. if you set a wrong value. you can see the error from log. image-20220408195824911 then you can check the result. image-20220408200016136 after injection image-20220408200047184

Proof of Concept

image-20220408200047184 // PoC.js

"body": "filterText=sdf&page=1&start=0&limit=50&filter="+encodeURIComponent('[{"property":"id` = 1 or 1=1 # ","type":"string","value":"1","operator":"="}]')


This vulnerability is capable of steal the data

We are processing your report and will contact the pimcore team within 24 hours. 2 years ago
mylong modified the report
2 years ago
We have contacted a member of the pimcore team and are waiting to hear back 2 years ago
pimcore/pimcore maintainer has acknowledged this report 2 years ago
aryaantony92 validated this vulnerability 2 years ago
mylong has been awarded the disclosure bounty
The fix bounty is now up for grabs
aryaantony92 marked this as fixed in 10.3.5 with commit adae3b 2 years ago
aryaantony92 has been awarded the fix bounty
ElementController.php#L249 has been validated
2 years ago


Hi,@aryaantony92. the fixup in line 245. $dateCondition = '`' . $filter[$propertyKey] . '` ' . ' BETWEEN ' . $db->quote($value) . ' AND ' . $db->quote($maxTime); may be the $filter[$propertyKey] should also be quoted?

to join this conversation