U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:pimcore:pimcore:1.5.0:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 108 matching records.
Displaying matches 101 through 108.
Vuln ID Summary CVSS Severity
CVE-2019-16318

In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.

Published: September 14, 2019; 2:15:11 PM -0400 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2019-16317

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.

Published: September 14, 2019; 2:15:11 PM -0400 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2019-10867

An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.

Published: April 04, 2019; 2:29:00 PM -0400 		V4.0:(not available)
 V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2018-14059

Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions.

Published: August 24, 2018; 6:29:00 PM -0400 		V4.0:(not available)
 V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2018-14058

Pimcore before 5.3.0 allows SQL Injection via the REST web service API.

Published: August 17, 2018; 2:29:00 PM -0400 		V4.0:(not available)
 V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-14057

Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.

Published: August 17, 2018; 2:29:00 PM -0400 		V4.0:(not available)
 V3.0: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2014-2922

The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.1.0 does not properly handle an object obtained by unserializing a pathname, which allows remote attackers to conduct PHP object injection attacks and delete arbitrary files via vectors involving a Zend_Http_Response_Stream object.

Published: April 21, 2014; 6:55:08 PM -0400 		V4.0:(not available)
 V3.x:(not available)
 V2.0: 6.4 MEDIUM
CVE-2014-2921

The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character.

Published: April 21, 2014; 6:55:08 PM -0400 		V4.0:(not available)
 V3.x:(not available)
 V2.0: 7.5 HIGH