Drive By RCE Exploit in Pimcore 6.2.0
Blog post from Sonar
The vulnerabilities in Pimcore 6.2.0 were identified as command injection and SQL injection, which can lead to remote code execution. The Exiftool vulnerability is caused by passing user-controlled JSON data directly into a shell command without sanitization. In the downloadImageThumbnailAction() method, the `$config['dpi']` variable is embedded unsanitized into an OS command, allowing an attacker to inject malicious code. Meanwhile, SQL injection occurs in the addCollectionsAction() method where user input is sent to implode(), transforming it into a comma-separated string that is directly embedded into a SQL query without sanitization or validation. This allows an attacker to exploit the vulnerabilities via CSRF attacks and potentially extract sensitive data via side channels. The Pimcore developers acknowledged and fixed these issues in version 6.2.1, demonstrating their security awareness and prompt response to vulnerability reports.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| Vector Search | 1 | 28 | 12 | 9 | -49% |
Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.