Skip to main content

CVE-2024-23646: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in pimcore admin-ui-classic-bundle

High
VulnerabilityCVE-2024-23646cvecve-2024-23646cwe-89
Published: Wed Jan 24 2024 (01/24/2024, 19:41:49 UTC)
Source: CVE Database V5
Vendor/Project: pimcore
Product: admin-ui-classic-bundle

Description

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue.

AI-Powered Analysis

AILast updated: 07/08/2025, 19:56:03 UTC

Technical Analysis

CVE-2024-23646 is a high-severity SQL Injection vulnerability (CWE-89) affecting the Pimcore Admin Classic Bundle, specifically versions from 1.0.0 up to but not including 1.3.2. Pimcore is an open-source platform widely used for data and experience management, and its Admin Classic Bundle provides the backend user interface. The vulnerability resides in the handling of the 'selectedIds' parameter, which is used when backend users create zip files from available site files. Due to improper neutralization of special elements in SQL commands, an authenticated backend user with minimal permissions can inject arbitrary SQL statements. This flaw enables attackers to manipulate the database directly, potentially altering data or escalating their privileges to at least admin level. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and only low privileges required. The issue was fixed in version 1.3.2 of the Admin Classic Bundle. No known exploits are currently reported in the wild, but the nature of the vulnerability makes it a critical risk for affected deployments.

Potential Impact

For European organizations using Pimcore with the vulnerable Admin Classic Bundle versions, this vulnerability poses a significant risk. Attackers with minimal backend access can execute arbitrary SQL commands, leading to unauthorized data disclosure, data manipulation, or complete compromise of the Pimcore backend. This could result in leakage of sensitive business, customer, or personal data, violating GDPR and other data protection regulations. Privilege escalation to admin level could allow attackers to control the entire Pimcore instance, potentially disrupting business operations or enabling further lateral movement within the network. Given Pimcore's use in content management and digital experience platforms, exploitation could impact websites, digital assets, and customer-facing services. The vulnerability's ease of exploitation and high impact on data integrity and availability make it a critical concern for organizations handling sensitive or regulated data in Europe.

Mitigation Recommendations

1. Immediate upgrade of the Pimcore Admin Classic Bundle to version 1.3.2 or later is the primary and most effective mitigation. 2. Restrict backend user permissions strictly, ensuring only trusted users have access to the Admin Classic Bundle interface, minimizing the risk of exploitation by low-privilege users. 3. Implement network-level access controls such as VPNs or IP whitelisting to limit access to the Pimcore backend interface. 4. Monitor database logs and Pimcore application logs for unusual SQL queries or privilege escalations indicative of exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'selectedIds' parameter. 6. Conduct regular security audits and penetration testing focused on backend interfaces to detect similar injection vulnerabilities. 7. Ensure backups of Pimcore data are current and tested to enable recovery in case of data tampering or loss.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2024-01-19T00:18:53.234Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6839c098182aa0cae2b3b72c

Added to database: 5/30/2025, 2:28:40 PM

Last enriched: 7/8/2025, 7:56:03 PM

Last updated: 8/18/2025, 2:33:29 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats