Filtered by vendor Pimcore Subscriptions

Search

Switch to Advanced Search (Beta)
Total 145 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-14059 1 Pimcore 1 Pimcore 2024-11-21 N/A
Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions.
CVE-2018-14058 1 Pimcore 1 Pimcore 2024-11-21 N/A
Pimcore before 5.3.0 allows SQL Injection via the REST web service API.
CVE-2018-14057 1 Pimcore 1 Pimcore 2024-11-21 N/A
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
CVE-2023-2332 1 Pimcore 1 Pimcore 2024-11-19 4.8 Medium
A stored Cross-site Scripting (XSS) vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.19. The vulnerability is present in the From and To fields of the Date Range section, allowing an attacker to inject malicious scripts. This can lead to the execution of arbitrary JavaScript code in the context of the user's browser, potentially stealing cookies or redirecting users to malicious sites. The issue is fixed in version 10.5.21.
CVE-2024-49370 1 Pimcore 1 Pimcore 2024-11-06 4.9 Medium
Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password. Prior to Pimcore portal engine versions 4.1.7 and 3.1.16, the password is then set without hashing so it can be read by everyone. Everyone who combines PortalUser to PimcoreUsers and change passwords via profile settings could be affected. Versions 4.1.7 and 3.1.16 of the Pimcore portal engine fix the issue.