Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28108: Improper quoting of columns when calling methods "getByUuid" & "exists" on UUID Model

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.

CVE
Open in Source
#sql#git#perl

High

dvesh3 published GHSA-xc9p-r5qj-8xm9

Mar 16, 2023

Package

composer pimcore/pimcore (Composer)

Affected versions

< 10.5.19

Patched versions

10.5.19

Description

Impact

The quoting is not done properly in UUID DAO model, so there’s the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class.

Patches

Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/commit/08e7ba56ae983c3c67ec563b6989b16ef8f35275.patch

Workarounds

Apply https://github.com/pimcore/pimcore/commit/08e7ba56ae983c3c67ec563b6989b16ef8f35275.patch manually.

References

#14633

Severity

High

7.9

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

High

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CVE ID

CVE-2023-28108

Weaknesses

CWE-89

Related news

GHSA-xc9p-r5qj-8xm9: Improper quoting of columns when calling methods "getByUuid" & "exists" on UUID Model

### Impact The quoting is not done properly in UUID DAO model, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. ### Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/commit/08e7ba56ae983c3c67ec563b6989b16ef8f35275.patch ### Workarounds Apply https://github.com/pimcore/pimcore/commit/08e7ba56ae983c3c67ec563b6989b16ef8f35275.patch manually. ### References #14633

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE