SQL Injection in pimcore/pimcore


Reported on

Jan 9th 2022


The storeId parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

Proof of Concept

  1. Add items to Classification Store: Key definition, Group,...

  2. Injection (boolean base):



A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data

We are processing your report and will contact the pimcore team within 24 hours. 2 years ago
We have contacted a member of the pimcore team and are waiting to hear back 2 years ago
We have sent a follow up to the pimcore team. We will try again in 7 days. 2 years ago
Bernhard Rusch validated this vulnerability 2 years ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch marked this as fixed with commit 66281c 2 years ago
Bernhard Rusch has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation