CVE-2023-28108

HIGH Year: 2023
CVSS v3 Score
7.8
High
Weakness Type
CWE-89
View all →

Vulnerability Description

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.

Related Vulnerabilities

CVE-2015-4669

HIGH
CVSS:7.8(High)

The MySQL "root" user in Xsuite 2.x does not have a password set, which allows local users to access databases on the system.

CWE-892015

CVE-2019-12372

HIGH
CVSS:7.8(High)

Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.

CWE-892019

CVE-2019-20573

HIGH
CVSS:7.8(High)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the RCS Content Provider. The Samsung IDs are SVE-2019-14059, SVE-2019-14685...

CWE-892019

CVE-2019-20574

HIGH
CVSS:7.8(High)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Wi-Fi history Content Provider. The Samsung ID is SVE-2019-14061 (August...

CWE-892019

CVE-2019-20591

HIGH
CVSS:7.8(High)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Gear VR Service Content Provider. The Samsung ID is SVE-2019-14058 (July...

CWE-892019

CVE-2019-20592

HIGH
CVSS:7.8(High)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Story Video Editor Content Provider. The Samsung ID is SVE-2019-14062 (J...

CWE-892019