Moderate severityNVD Advisory· Published Aug 4, 2023· Updated Oct 3, 2024

Pimcore Path Traversal Vulnerability in AssetController:importServerFilesAction

CVE-2023-38708

Description

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/pimcorePackagist	< 10.6.7	10.6.7

Affected products

Pimcore/Pimcorev5
Range: < 10.6.7

Patches

58012d0e3b8b

Fix import server files dir traversal (#15664)

https://github.com/pimcore/pimcoreTobiSw61Aug 3, 2023via ghsa

commit

1 file changed · +8 −0

bundles/AdminBundle/Controller/Admin/Asset/AssetController.php+8 −0 modified

@@ -2477,6 +2477,14 @@ public function importServerFilesAction(Request $request)
 
         $files = explode('::', $request->get('files'));
 
+        // prevent directory traversal
+        foreach ($files as $file) {
+            $absolutePath = realpath($serverPath.$file);
+            if (!str_starts_with($absolutePath, $serverPath)) {
+                throw $this->createAccessDeniedException('Please do not navigate out of the web root directory!');
+            }
+        }
+
         foreach ($files as $file) {
             $absolutePath = $serverPath . $file;
             $this->checkForPharStreamWrapper($absolutePath);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-34hj-v8fm-x887ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-38708ghsaADVISORY
github.com/pimcore/pimcore/commit/58012d0e3b8b926fb54eccbd64ec5c993b30c22cghsax_refsource_MISCWEB
github.com/pimcore/pimcore/security/advisories/GHSA-34hj-v8fm-x887ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000