High severityNVD Advisory· Published Jan 24, 2024· Updated May 30, 2025
Pimcore Admin Classic Bundle SQL Injection in Admin download files as zip
CVE-2024-23646
Description
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter selectedIds is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/admin-ui-classic-bundlePackagist | >= 1.0.0, < 1.3.2 | 1.3.2 |
Affected products
2- Range: >= 1.0.0, < 1.3.2
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-cwx6-4wmf-c6xvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23646ghsaADVISORY
- github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.phpghsax_refsource_MISCWEB
- github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.phpghsax_refsource_MISCWEB
- github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8ghsax_refsource_MISCWEB
- github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2ghsax_refsource_MISCWEB
- github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-cwx6-4wmf-c6xvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.