Home / Companies / Sonar / Blog / Post Details
Content Deep Dive

Drive By RCE Exploit in Pimcore 6.2.0

Blog post from Sonar

Post Details
Company
Date Published
Author
Robin Peraglie
Word Count
759
Company Posts That Month
3
Language
English
Hacker News Points
-
Post removed?
No
Summary

The vulnerabilities in Pimcore 6.2.0 were identified as command injection and SQL injection, which can lead to remote code execution. The Exiftool vulnerability is caused by passing user-controlled JSON data directly into a shell command without sanitization. In the downloadImageThumbnailAction() method, the `$config['dpi']` variable is embedded unsanitized into an OS command, allowing an attacker to inject malicious code. Meanwhile, SQL injection occurs in the addCollectionsAction() method where user input is sent to implode(), transforming it into a comma-separated string that is directly embedded into a SQL query without sanitization or validation. This allows an attacker to exploit the vulnerabilities via CSRF attacks and potentially extract sensitive data via side channels. The Pimcore developers acknowledged and fixed these issues in version 6.2.1, demonstrating their security awareness and prompt response to vulnerability reports.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
Vector Search 1 28 12 9 -49%
Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.