Miggo Logo

CVE-2022-0258: pimcore is vulnerable to SQL Injection

8.3

CVSS Score
3.0

Basic Information

EPSS Score
0.05522%
Published
1/21/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.2.910.2.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows a critical line change where $storeId was directly interpolated into an SQL condition (storeId = $storeId). This raw interpolation creates an SQL injection vector. The patch fixes it by adding $db->quote() to sanitize the input. The vulnerability context (CWE-89) and the explicit use of quote() in the fix confirm this was an SQL injection vulnerability stemming from improper input neutralization in this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

pim*or* is vuln*r**l* to Improp*r N*utr*liz*tion o* Sp**i*l *l*m*nts us** in *n SQL *omm*n*

Reasoning

T** *ommit *i** s*ows * *riti**l lin* ***n** w**r* `$stor*I*` w*s *ir**tly int*rpol*t** into *n SQL *on*ition (`stor*I* = $stor*I*`). T*is r*w int*rpol*tion *r**t*s *n SQL inj**tion v**tor. T** p*t** *ix*s it *y ***in* `$**->quot*()` to s*nitiz* t**