SQL injection in Data Objects function in pimcore/pimcore


Reported on

Jul 14th 2023


Log in as an admin, go to Data Objects function, and perform a sort action. Observer the request on Burpsuite and injection point is the 'sort' parameter

Proof of Concept

POC request that makes the application sleep for 5 seconds (Data Objects function) payload: %5b%7b%22property%22%3a%22id%3bselect%20sleep(5)--%20-%22%2c%22direction%22%3a%22DESC%22%7d%5d



Using some SQL exploitation tools such as sqlmap, an attacker can enumerate all information in the database, alter data or perform dos on the backend database.


We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
2 months ago


Hello @maintainer, as your previous request I create the issue for the last function and set the affected version to 10.6.3.

We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
Divesh Pahuja validated this vulnerability 2 months ago
hiu240900 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.6.4 with commit e64196 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Dao.php#L108 has been validated
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation