Headline
CVE-2023-30848: [Security] Fix Admin Search Find API SQL Injection by mattamon · Pull Request #14972 · pimcore/pimcore
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually.
Additional info****WHAT****🤖 Generated by Copilot at 812e8d7
Enhanced search query functionality and security in SearchController.php. Added exception handling for syntax errors and input sanitization to prevent SQL injection.
🤖 Generated by Copilot at 812e8d7
$fields sanitized
No SQL injection in spring
SyntaxErrorException
HOW****🤖 Generated by Copilot at 812e8d7
- Import SyntaxErrorException class to handle SQL syntax errors in search query (link)
- Sanitize $fields variable to remove SQL comments that could affect query execution (link)
Related news
### Impact SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior. In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack. It was observed that the reported API endpoint accessible by an authenticated administrator user and is vulnerable to SQL injection via the "fields[]" GET parameter. The parameter is not sanitized properly and is used in a SQL statement in an unsafe manner, resulting in SQL injection. ### Patches Update to version 10.5.21 or apply...