We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

SQL injection in Data Objects function in pimcore/pimcore

Valid

Reported on

Jul 14th 2023

Description

Log in as an admin, go to Data Objects function, and perform a sort action. Observer the request on Burpsuite and injection point is the 'sort' parameter

Proof of Concept

POC request that makes the application sleep for 5 seconds (Data Objects function) payload: %5b%7b%22property%22%3a%22id%3bselect%20sleep(5)--%20-%22%2c%22direction%22%3a%22DESC%22%7d%5d

image

Impact

Using some SQL exploitation tools such as sqlmap, an attacker can enumerate all information in the database, alter data or perform dos on the backend database.

Occurrences

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
hiu240900
2 months ago

Researcher

Hello @maintainer, as your previous request I create the issue for the last function and set the affected version to 10.6.3.

We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
Divesh Pahuja validated this vulnerability 2 months ago
hiu240900 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.6.4 with commit e64196 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Dao.php#L108 has been validated
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation