Miggo Logo

CVE-2022-0263: Unrestricted Upload of File with Dangerous Type in pimcore

7.8

CVSS Score
3.1

Basic Information

EPSS Score
0.00126%
Published
1/21/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.2.710.2.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the file upload handler in SettingsController.php which lacked SVG content validation. The GitHub patch specifically adds a check for <script> tags in SVG files within this function, indicating it was the entry point for unsafe uploads. The CWE-434 classification confirms this is an unrestricted dangerous file type upload issue, and the commit diff directly modifies this function to implement security checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unr*stri*t** Uplo** o* *il* wit* **n**rous Typ* in P**k**ist pim*or*/pim*or*

Reasoning

T** vuln*r**ility st*ms *rom t** *il* uplo** **n*l*r in `S*ttin*s*ontroll*r.p*p` w*i** l**k** SV* *ont*nt v*li**tion. T** *it*u* p*t** sp**i*i**lly ***s * ****k *or <s*ript> t**s in SV* *il*s wit*in t*is `*un*tion`, in*i**tin* it w*s t** *ntry point