High severityNVD Advisory· Published Jun 27, 2022· Updated Apr 22, 2025

SQL injection in pimcore

CVE-2022-31092

Description

Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the listing classes. This issue has been resolved in version 10.4.4. Users are advised to upgrade or to apple the patch manually. There are no known workarounds for this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/pimcorePackagist	< 10.4.4	10.4.4

Affected products

Pimcore/Pimcorev5
Range: < 10.4.4

Patches

21559c6bf0e4

[Security] SQL Injection in Data Hub GraphQL (#12444)

https://github.com/pimcore/pimcoremcop1Jun 20, 2022via ghsa

commit

1 file changed · +16 −3

lib/Model/Listing/AbstractListing.php+16 −3 modified

@@ -235,7 +235,7 @@ public function setOrderKey($orderKey, $quote = true)
                 if ($quote === false) {
                     $this->orderKey[] = $o;
                 } elseif ($this->isValidOrderKey($o)) {
-                    $this->orderKey[] = '`' . $o . '`';
+                    $this->orderKey[] = $this->quoteIdentifier($o);
                 }
             }
         }
@@ -411,8 +411,14 @@ public function setGroupBy($groupBy, $qoute = true)
         if ($groupBy) {
             $this->groupBy = $groupBy;
 
-            if ($qoute && strpos($groupBy, '`') !== 0) {
-                $this->groupBy = '`' . $this->groupBy . '`';
+          if ($qoute) {
+                $quotedParts = [];
+                $parts = explode(",", trim($groupBy, '`'));
+                foreach($parts as $part) {
+                    $quotedParts[] = $this->quoteIdentifier(trim($part));
+                }
+
+                $this->groupBy = implode(", ", $quotedParts);
             }
         }
 
@@ -431,6 +437,13 @@ public function setValidOrders($validOrders)
         return $this;
     }
 
+    public function quoteIdentifier(string $value): string
+    {
+        $db = Db::get();
+
+        return $db->quoteIdentifier($value);
+    }
+
     /**
      * @param mixed $value
      * @param int|null $type

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gvmf-wcx6-p974ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-31092ghsaADVISORY
github.com/pimcore/pimcore/commit/21559c6bf0e4e828d33ff7af6e88caecb5ac6549ghsax_refsource_MISCWEB
github.com/pimcore/pimcore/pull/12444ghsax_refsource_MISCWEB
github.com/pimcore/pimcore/security/advisories/GHSA-gvmf-wcx6-p974ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000