Description
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| pimcore | admin-ui-classic-bundle | affected |
|
No data.
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2024-0338 | Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue. |
 Github GHSA |
GHSA-cwx6-4wmf-c6xv | SQL Injection in Admin download files as zip |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-05-30T14:16:14.214Z
Reserved: 2024-01-19T00:18:53.234Z
Link: CVE-2024-23646
Vulnrichment
No data.
NVD
Status : Modified
Published: 2024-01-24T20:15:53.877
Modified: 2024-11-21T08:58:04.867
Link: CVE-2024-23646
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses