Miggo Logo
Miggo Vulnerability Database
CVE-2018-14057

CVE-2018-14057:
Pimcore CSRF Vulnerability

8.8

CVSS Score

Basic Information

CVE ID
CVE-2018-14057
GHSA ID
GHSA-gmff-vcv6-mmfr
EPSS Score
-
CWE
CWE-352
Published
5/14/2022
Updated
7/25/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 5.3.05.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing CSRF token validation in admin endpoints outside of user/roles settings. The advisory explicitly lists numerous admin endpoints (e.g. /admin/asset/add-asset, /admin/object/save) that lacked X-pimcore-csrf-token validation. In Pimcore's MVC architecture, these endpoints map directly to controller actions in the AdminBundle. The functions listed represent critical administrative operations that would appear in runtime profilers when handling malicious CSRF requests. Confidence is high as the advisory provides specific endpoint paths and the vulnerability pattern matches missing security controls in controller actions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pim*or* ***or* *.*.* *llows r*mot* *tt**k*rs to *on*u*t *ross-sit* r*qu*st *or**ry (*SR*) *tt**ks *y l*v*r**in* v*li**tion o* t** `X-pim*or*-*sr*-tok*n` *nti-*SR* tok*n only in t** "S*ttin*s > Us*rs / Rol*s" *un*tion.

Reasoning

T** vuln*r**ility st*ms *rom missin* *SR* tok*n v*li**tion in **min *n*points outsi** o* us*r/rol*s s*ttin*s. T** **visory *xpli*itly lists num*rous **min *n*points (*.*. /**min/*ss*t/***-*ss*t, /**min/o*j**t/s*v*) t**t l**k** X-pim*or*-*sr*-tok*n v*