CVE-2024-23646 is a high-severity SQL Injection vulnerability (CWE-89) affecting the Pimcore Admin Classic Bundle, specifically versions from 1.0.0 up to but not including 1.3.2. Pimcore is an open-source platform widely used for data and experience management, and its Admin Classic Bundle provides the backend user interface. The vulnerability resides in the handling of the 'selectedIds' parameter, which is used when backend users create zip files from available site files. Due to improper neutralization of special elements in SQL commands, an authenticated backend user with minimal permissions can inject arbitrary SQL statements. This flaw enables attackers to manipulate the database directly, potentially altering data or escalating their privileges to at least admin level. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and only low privileges required. The issue was fixed in version 1.3.2 of the Admin Classic Bundle. No known exploits are currently reported in the wild, but the nature of the vulnerability makes it a critical risk for affected deployments.

For European organizations using Pimcore with the vulnerable Admin Classic Bundle versions, this vulnerability poses a significant risk. Attackers with minimal backend access can execute arbitrary SQL commands, leading to unauthorized data disclosure, data manipulation, or complete compromise of the Pimcore backend. This could result in leakage of sensitive business, customer, or personal data, violating GDPR and other data protection regulations. Privilege escalation to admin level could allow attackers to control the entire Pimcore instance, potentially disrupting business operations or enabling further lateral movement within the network. Given Pimcore's use in content management and digital experience platforms, exploitation could impact websites, digital assets, and customer-facing services. The vulnerability's ease of exploitation and high impact on data integrity and availability make it a critical concern for organizations handling sensitive or regulated data in Europe.

1. Immediate upgrade of the Pimcore Admin Classic Bundle to version 1.3.2 or later is the primary and most effective mitigation. 2. Restrict backend user permissions strictly, ensuring only trusted users have access to the Admin Classic Bundle interface, minimizing the risk of exploitation by low-privilege users. 3. Implement network-level access controls such as VPNs or IP whitelisting to limit access to the Pimcore backend interface. 4. Monitor database logs and Pimcore application logs for unusual SQL queries or privilege escalations indicative of exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'selectedIds' parameter. 6. Conduct regular security audits and penetration testing focused on backend interfaces to detect similar injection vulnerabilities. 7. Ensure backups of Pimcore data are current and tested to enable recovery in case of data tampering or loss.