Pimcore Vulnerable to SQL Injection in getRelationFilterCondition · CVE-2025-27617 · GitHub Advisory Database · GitHub

Pimcore Vulnerable to SQL Injection in getRelationFilterCondition

Moderate severity GitHub Reviewed Published Mar 11, 2025 in pimcore/pimcore

Package

pimcore/pimcore (Composer)

Affected versions

< 11.5.4

Patched versions

11.5.4

Description

Summary

Authenticated users can craft a filter string used to cause a SQL injection.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
This code does not look to sanitize inputs: https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47

c.f. with https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.php#L332-L347

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Impact

What kind of vulnerability is it? Who is impacted?

References

wisconaut published to pimcore/pimcore

Mar 11, 2025

Published by the National Vulnerability Database

Mar 11, 2025

Published to the GitHub Advisory Database Mar 11, 2025

Reviewed Mar 11, 2025

Severity

Moderate

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required Low

User interaction None

Vulnerable System Impact Metrics

Confidentiality High

Integrity High

Availability High

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U