Widely used open-source digital experience platform Pimcore has two newly-patched security vulnerabilities, which could have been chained to enable arbitrary code execution
, reports SecurityWeek
Both flaws, which consist of an SQL injection bug and a path traversal vulnerability, are being tracked as CVE-2023-28438 and have been discovered within an admin-only GET request endpoint that did not have CSRF protections. The absence of sanitization in the endpoint's exportFile parameter prior to its inclusion to the web root path could facilitate the control of the extension, which would then allow control of the CSV output file path, name, and extension for PHP file creation, according to SonarSource.
"The impact of [the] path traversal and arbitrary extension is limited (creation of arbitrary files and appending data to existing files) but when combined with the SQL Injection, the exported data can be controlled and a webshell can be uploaded. Attackers can use that to execute arbitrary PHP code on the server with the permissions of the webserver," said Pimcore.