VYPR
Get started
← All advisories
High severityNVD Advisory· Published Nov 15, 2023· Updated Aug 29, 2024

SQL Injection in Admin Grid Filter API in Pimcore

CVE-2023-47637

Description

Pimcore is an Open Source Data & Experience Management Platform. In affected versions the /admin/object/grid-proxy endpoint calls getFilterCondition() on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of getFilterCondition() is in Multiselect, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pimcore/pimcorePackagist
< 11.1.111.1.1

Affected products

1

Patches

1
d164d99c90f0

Fix: escape filter values

https://github.com/pimcore/pimcorerobertSt7Nov 7, 2023via ghsa
commit
1 file changed · +2 2
  • models/DataObject/ClassDefinition/Data/Multiselect.php+2 2 modified
    @@ -302,8 +302,8 @@ public function getFilterConditionExt(mixed $value, string $operator, array $par
             }
 
             $value = $operator === '='
-                ? "'%,".$value.",%'"
-                : "'%,%".$value."%,%'";
+                ? $db->quote("%,". $value . ",%")
+                : $db->quote("%,%" .Helper::escapeLike($value). "%,%");
 
             return $key.' LIKE '.$value.' ';
         }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.