CVE-2025-27617

MEDIUM EPSS 35.8%
Published Mar 11, 20251y ago · Modified Jun 17, 20262w ago
6.3 CVSS 4.0
Medium
Find Similar
Published Mar 11, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
35.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

VendorProductVersionRange
pimcorepimcore* <11.5.4

References 4

  • github.com https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47
    Product
  • github.com https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.php#L332-L347
    Product
  • github.com https://github.com/pimcore/pimcore/commit/19a8520895484e68fd254773e32476565d91deea
    Patch
  • github.com https://github.com/pimcore/pimcore/security/advisories/GHSA-qjpx-5m2p-5pgh
    Vendor Advisory

Remediation

  • github.com https://github.com/pimcore/pimcore/commit/19a8520895484e68fd254773e32476565d91deea
    Patch