High severityNVD Advisory· Published Apr 27, 2023· Updated Jan 30, 2025

Pimcore SQL Injection Vulnerability in Admin Search Find API

CVE-2023-30848

Description

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/pimcorePackagist	< 10.5.21	10.5.21

Affected products

Pimcore/Pimcorev5
Range: < 10.5.21

Patches

25ad8674886f

Remove sql comments and add different exception on syntax error (#14972)

https://github.com/pimcore/pimcoreMatthias SchuhmayerApr 25, 2023via ghsa

commit

1 file changed · +8 −1

bundles/AdminBundle/Controller/Searchadmin/SearchController.php+8 −1 modified

@@ -15,6 +15,7 @@
 
 namespace Pimcore\Bundle\AdminBundle\Controller\Searchadmin;
 
+use Doctrine\DBAL\Exception\SyntaxErrorException;
 use Pimcore\Bundle\AdminBundle\Controller\AdminController;
 use Pimcore\Bundle\AdminBundle\Controller\Traits\AdminStyleTrait;
 use Pimcore\Bundle\AdminBundle\Helper\GridHelperService;
@@ -111,6 +112,8 @@ public function findAction(Request $request, EventDispatcherInterface $eventDisp
         $bricks = [];
         if (!empty($allParams['fields'])) {
             $fields = $allParams['fields'];
+            //remove sql comments
+            $fields = str_replace('--', '', $fields);
 
             foreach ($fields as $f) {
                 $parts = explode('~', $f);
@@ -310,7 +313,11 @@ public function findAction(Request $request, EventDispatcherInterface $eventDisp
             $searcherList = $beforeListLoadEvent->getArgument('list');
         }
 
-        $hits = $searcherList->load();
+        try {
+            $hits = $searcherList->load();
+        } catch (SyntaxErrorException $syntaxErrorException) {
+            throw new \InvalidArgumentException('Check your arguments.');
+        }
 
         $elements = [];
         foreach ($hits as $hit) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6mhm-gcpf-5gr8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-30848ghsaADVISORY
github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3ghsaWEB
github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3.patchghsax_refsource_MISCWEB
github.com/pimcore/pimcore/pull/14972ghsax_refsource_MISCWEB
github.com/pimcore/pimcore/security/advisories/GHSA-6mhm-gcpf-5gr8ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000