Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Pimcore |
|
No data.
No data.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2024-0338 | Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue. |
 Github GHSA |
GHSA-cwx6-4wmf-c6xv | SQL Injection in Admin download files as zip |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-05-30T14:16:14.214Z
Reserved: 2024-01-19T00:18:53.234Z
Link: CVE-2024-23646
Vulnrichment
No data.
NVD
Status : Modified
Published: 2024-01-24T20:15:53.877
Modified: 2024-11-21T08:58:04.867
Link: CVE-2024-23646
Redhat
No data.
OpenCVE Enrichment
No data.