CVE-2022-0258: pimcore is vulnerable to SQL Injection
8.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.05522%
CWE
Published
1/21/2022
Updated
2/3/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
pimcore/pimcore | composer | < 10.2.9 | 10.2.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows a critical line change where $storeId
was directly interpolated into an SQL condition (storeId = $storeId
). This raw interpolation creates an SQL injection vector. The patch fixes it by adding $db->quote()
to sanitize the input. The vulnerability context (CWE-89
) and the explicit use of quote()
in the fix confirm this was an SQL injection vulnerability stemming from improper input neutralization in this function
.