pimcore · threatengine.sh

CVE-2026-5362

all versions

An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable

5.4MEDIUM

CVE-2026-27461

<= 11.5.14.1

Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter

4.9MEDIUM

CVE-2026-23496

< 5.2.2

Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails t

5.4MEDIUM

CVE-2026-23495

< 1.7.16

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefin

4.3MEDIUM

CVE-2026-23494

< 11.5.14

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce pro

4.3MEDIUM

CVE-2026-23493

< 11.5.14

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $

8.6HIGH

CVE-2026-23492

< 11.5.14

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in

8.8HIGH

CVE-2025-30166

< 1.7.6

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email se

4.8MEDIUM

CVE-2025-27617

< 11.5.4

Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter

8.8HIGH

CVE-2025-24980

< 1.7.4.1

pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accoun

5.3MEDIUM

CVE-2024-11956

< 4.2.1

A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this

4.7MEDIUM

CVE-2024-11954

all versions

A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality

2.4LOW

CVE-2023-2332

all versions

A stored Cross-site Scripting (XSS) vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.1

4.8MEDIUM

CVE-2024-49370

< 3.1.16

Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use

4.9MEDIUM

CVE-2024-41109

< 1.3.10

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to /admin/index/statistics with a logge

6.3MEDIUM

CVE-2024-32871

>= 11.0.0 and < 11.2.4

Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server

7.5HIGH

CVE-2024-29197

>= 11.0.0 and < 11.1.6.1

Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument ?pimcore_preview=true allows t

6.5MEDIUM

CVE-2024-25625

< 1.3.4

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimco

8.1HIGH

CVE-2024-24822

< 1.3.3

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, dele

6.5MEDIUM

CVE-2024-23646

>= 1.0.0 and < 1.3.2

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files fro

8.8HIGH

CVE-2024-23648

< 1.2.3

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the us

8.8HIGH

CVE-2024-21667

< 4.0.6

pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authentica

6.5MEDIUM

CVE-2024-21666

< 4.0.6

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization

6.5MEDIUM

CVE-2024-21665

< 1.0.10

ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. An authenticated and unauthorized user can access the back-o

4.3MEDIUM

CVE-2023-49076

< 4.0.5

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks

4.3MEDIUM

CVE-2023-49075

< 1.2.2

The Admin Classic Bundle provides a Backend UI for Pimcore. AdminBundle\Security\PimcoreUserTwoFactorCondition introduced in v11

8.4HIGH

CVE-2023-47637

< 11.1.1

Pimcore is an Open Source Data & Experience Management Platform. In affected versions the /admin/object/grid-proxy endpoint call

8.8HIGH

CVE-2023-47636

< 1.2.1

The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker

5.3MEDIUM

CVE-2023-46722

< 1.2.0

The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability h

6.1MEDIUM

CVE-2023-5873

< 11.1.0

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0.

5.4MEDIUM

CVE-2023-5844

<= 1.1.4

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.

7.2HIGH

CVE-2023-5192

< 10.3.0

Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0.

6.5MEDIUM

CVE-2023-42817

< 1.1.2

Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%su

5.4MEDIUM

CVE-2023-4453

< 10.6.8

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8.

5.4MEDIUM

CVE-2023-38708

< 10.6.7

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal

6.3MEDIUM

CVE-2023-4145

< 3.4.2

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2.

5.4MEDIUM

CVE-2023-3822

< 10.6.4

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4.

6.1MEDIUM

CVE-2023-3821

< 10.6.4

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4.

5.4MEDIUM

CVE-2023-3820

< 10.6.4

SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4.

7.2HIGH

CVE-2023-3819

< 10.6.4

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4.

6.5MEDIUM

CVE-2023-3673

< 10.5.24

SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24.

7.2HIGH

CVE-2023-37280

< 1.0.3

Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor

5.0MEDIUM

CVE-2023-3574

< 3.4.1

Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1.

6.5MEDIUM

CVE-2023-2984

< 10.5.22

Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22.

8.8HIGH

CVE-2023-2983

< 10.5.23

Privilege Defined With Unsafe Actions in GitHub repository pimcore/pimcore prior to 10.5.23.

8.8HIGH

CVE-2023-2881

< 3.3.10

Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10.

4.9MEDIUM

CVE-2023-2756

< 3.3.10

SQL Injection in GitHub repository pimcore/customer-data-framework prior to 3.3.10.

7.2HIGH

CVE-2023-2730

< 10.3.3

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.

5.4MEDIUM

CVE-2023-32075

< 3.3.9

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-manageme

4.3MEDIUM

CVE-2023-2630

< 10.5.21

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

4.8MEDIUM

CVE-2023-2629

< 3.3.9

Improper Neutralization of Formula Elements in a CSV File in GitHub repository pimcore/customer-data-framework prior to 3.3.9.

7.8HIGH

CVE-2023-2615

< 10.5.21

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-2614

< 10.5.21

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-2616

< 10.5.21

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-30855

< 10.5.18

Pimcore is an open source data and experience management platform. Versions of Pimcore prior to 10.5.18 are vulnerable to path tra

6.5MEDIUM

CVE-2023-2361

< 10.5.21

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-30852

< 10.5.21

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the /admin/misc/script-proxy API en

4.4MEDIUM

CVE-2023-30850

< 10.5.21

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, a SQL Injection vulnerability exists

8.8HIGH

CVE-2023-30849

< 10.5.21

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists

8.8HIGH

CVE-2023-30848

< 10.5.21

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL i

8.8HIGH

CVE-2023-2343

< 10.5.21

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-2342

< 10.5.21

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-2341

< 10.5.21

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

6.1MEDIUM

CVE-2023-2340

< 10.5.21

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-2339

< 10.5.21

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-2338

< 10.5.21

SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21.

8.8HIGH

CVE-2023-2336

< 10.5.21

Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21.

6.5MEDIUM

CVE-2023-2328

< 10.5.21

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-2327

< 10.5.21

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-2323

< 10.5.21

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-2322

< 10.5.21

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

5.4MEDIUM

CVE-2023-28850

< 1.5.1

Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This

6.1MEDIUM

CVE-2023-1704

< 10.5.20

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.20.

5.4MEDIUM

CVE-2023-1703

< 10.5.20

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20.

5.4MEDIUM

CVE-2023-1702

< 10.5.20

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20.

5.4MEDIUM

CVE-2023-1701

< 10.5.20

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.20.

5.4MEDIUM

CVE-2023-28438

< 10.5.19

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission

6.2MEDIUM

CVE-2023-1578

< 10.5.19

SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19.

8.8HIGH

CVE-2023-1517

< 10.5.19

Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19.

4.8MEDIUM

CVE-2023-28429

< 10.5.19

Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in Da

6.1MEDIUM

CVE-2023-1515

< 10.5.19

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.

5.4MEDIUM

CVE-2023-28108

< 10.5.19

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID

7.9HIGH

CVE-2023-28106

< 10.5.19

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site script

6.1MEDIUM

CVE-2023-1429

< 10.5.19

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19.

5.4MEDIUM

CVE-2023-1312

< 10.5.19

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19.

4.8MEDIUM

CVE-2023-1286

< 10.5.19

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.

4.8MEDIUM

CVE-2023-1117

< 10.5.18

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.

5.4MEDIUM

CVE-2023-1116

< 10.5.18

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.

5.4MEDIUM

CVE-2023-1115

< 10.5.18

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.

5.4MEDIUM

CVE-2023-1067

< 10.5.18

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.

5.4MEDIUM

CVE-2023-0827

< 1.5.17

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 1.5.17.

5.4MEDIUM

CVE-2023-25240

all versions

An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code.

8.8HIGH

CVE-2023-23937

< 10.5.16

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. The upload functi

8.2HIGH

CVE-2023-0323

< 10.5.14

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.14.

5.4MEDIUM

CVE-2022-39365

< 10.5.9

Pimcore is an open source data and experience management platform. Prior to version 10.5.9, the user controlled twig templates ren

9.8CRITICAL

CVE-2022-3255

< 10.5.7

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.

4.8MEDIUM

CVE-2022-3211

< 10.5.6

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.6.

5.4MEDIUM

CVE-2022-2796

< 10.5.4

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.4.

4.8MEDIUM

CVE-2022-31092

< 10.4.4

Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data e

7.5HIGH

CVE-2022-1429

< 10.3.6

SQL injection in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6. This vulnerability is capable of stea

7.5HIGH

CVE-2022-1351

< 10.4.0

Stored XSS in Tooltip in GitHub repository pimcore/pimcore prior to 10.4.

5.4MEDIUM

CVE-2022-1339

< 10.3.5

SQL injection in ElementController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of stea

7.5HIGH

CVE-2022-1219

< 10.3.5

SQL injection in RecyclebinController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of s

7.5HIGH

CVE-2022-0955

< 1.2.4

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/data-hub prior to 1.2.4.

4.8MEDIUM

CVE-2022-0705

<= 10.3.0

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

5.4MEDIUM

CVE-2022-0704

<= 10.3.0

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

5.4MEDIUM

CVE-2022-0911

<= 10.3.0

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

5.4MEDIUM

CVE-2022-0894

<= 10.3.0

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

5.4MEDIUM

CVE-2022-0893

<= 10.3.0

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

5.4MEDIUM

CVE-2022-0832

< 10.3.3

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.

5.4MEDIUM

CVE-2022-0831

< 10.3.3

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.

5.4MEDIUM

CVE-2022-0665

< 10.3.2

Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2.

6.5MEDIUM

CVE-2022-0565

< 10.3.1

Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1.

7.6HIGH

CVE-2022-0510

<= 10.3.0

Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore prior to 10.3.1.

5.4MEDIUM

CVE-2022-0509

< 10.3.1

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.3.1.

5.4MEDIUM

CVE-2022-0348

< 10.2

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.

5.4MEDIUM

CVE-2022-0251

< 10.2.0

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.10.

5.4MEDIUM

CVE-2022-0285

< 10.2.9

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.9.

5.4MEDIUM

CVE-2022-0263

< 10.2.7

Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7.

7.8HIGH

CVE-2022-0262

< 10.2.7

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.7.

6.1MEDIUM

CVE-2021-4146

< 10.2.6

Business Logic Errors in GitHub repository pimcore/pimcore prior to 10.2.6.

4.3MEDIUM

CVE-2022-0260

< 10.2.7

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7.

5.4MEDIUM

CVE-2022-0258

< 10.2.8

pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

8.8HIGH

CVE-2022-0257

< 10.2.8

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4MEDIUM

CVE-2022-0256

< 10.2.8

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4MEDIUM

CVE-2021-4139

< 10.2.7

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

9.0CRITICAL

CVE-2021-4084

< 10.2.6

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1MEDIUM

CVE-2021-4082

< 10.2.6

pimcore is vulnerable to Cross-Site Request Forgery (CSRF)

4.3MEDIUM

CVE-2021-4081

< 10.2.6

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1MEDIUM

CVE-2021-39189

< 10.1.3

Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate username

5.3MEDIUM

CVE-2021-39170

< 10.1.2

Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code

8.0HIGH

CVE-2021-39166

< 10.1.2

Pimcore is an open source data & experience management platform. Prior to version 10.1.2, text-values were not properly escaped be

8.0HIGH

CVE-2021-37702

< 10.1.1

Pimcore is an open source data & experience management platform. Prior to version 10.1.1, Data Object CSV import allows formular i

8.0HIGH

CVE-2021-31869

< 6.9.4

Pimcore AdminBundle version 6.8.0 and earlier suffers from a SQL injection issue in the specificID variable used by the applicatio

6.5MEDIUM

CVE-2021-31867

< 3.0.2

Pimcore Customer Data Framework version 3.0.0 and earlier suffers from a Boolean-based blind SQL injection issue in the $id parame

6.5MEDIUM

CVE-2021-23405

< 10.0.7

This affects the package pimcore/pimcore before 10.0.7. This issue exists due to the absence of check on the storeId parameter in

8.3HIGH

CVE-2021-23340

< 6.8.8

This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction functi

7.1HIGH

CVE-2020-26246

< 6.8.5

Pimcore is an open source digital experience platform. In Pimcore before version 6.8.5 it is possible to modify & create website s

7.7HIGH

CVE-2020-7759

>= 6.7.2 and < 6.8.3

The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in Cl

6.5MEDIUM

CVE-2019-10763

< 6.3.0

pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attacker with limited privileges (classes permission) can achieve

6.5MEDIUM

CVE-2019-18986

< 6.2.2

Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it ret

7.5HIGH

CVE-2019-18985

< 6.2.2

Pimcore before 6.2.2 lacks brute force protection for the 2FA token.

9.8CRITICAL

CVE-2019-18982

>= 6.0.0 and < 6.3.0

bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview

6.1MEDIUM

CVE-2019-18981

< 6.2.2

Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.

9.8CRITICAL

CVE-2019-18656

all versions

Pimcore 6.2.3 has XSS in the translations grid because bundles/AdminBundle/Resources/public/js/pimcore/settings/translations.js mi

6.1MEDIUM

CVE-2019-16318

< 5.7.1

In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename,

8.8HIGH

CVE-2019-16317

< 5.7.1

In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename

8.8HIGH

CVE-2019-10867

< 5.7.1

An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-

8.8HIGH

CVE-2018-14059

<= 5.2.3

Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classifica

5.4MEDIUM

CVE-2018-14058

< 5.3.0

Pimcore before 5.3.0 allows SQL Injection via the REST web service API.

6.5MEDIUM

CVE-2018-14057

< 5.3.0

Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the

8.8HIGH

CVE-2015-4426

all versions

SQL injection vulnerability in pimcore before build 3473 allows remote attackers to execute arbitrary SQL commands via the filter

CVE-2015-4425

all versions

Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to c

CVE-2014-2922

all versions

The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.1.0 does not prop

CVE-2014-2921

all versions

The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not prop