Home > Vulnerability Database > CVE-2023-28108

Mend.io Vulnerability Database

CVE-2023-28108

Good to know:

Date: March 16, 2023

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.

Language: PHP

Severity Score

7.9

Related Resources (6)

Url: https://github.com/pimcore/pimcore/commit/08e7ba56ae983c3c67ec563b6989b16ef8f35275.patch

Url: https://github.com/pimcore/pimcore/security/advisories/GHSA-xc9p-r5qj-8xm9

Url: https://github.com/pimcore/pimcore/pull/14633

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-28108

Url: https://github.com/pimcore/pimcore

Url: https://www.mend.io/vulnerability-database/CVE-2023-28108

Severity Score

7.9

Weakness Type (CWE)

SQL Injection

CWE-89

Top Fix

Upgrade Version

Upgrade to version 10.5.19

Learn More

CVSS v3.1

Base Score:	7.9
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-28108

Good to know:

Date: March 16, 2023

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?