CVE-2018-14057
Title: Pimcore Path Traversal / LFI
Path Traversal / LFI
Proof Of Concept
PoC Available for CVE-2018-14057
CWE Category
CWE-352
Published Date
Aug 17, 2018
Modified Date
Nov 21, 2024
Exploit Status
Available
Score
8.8
CVSS v3.0
Exploit Probability (EPSS)
0.01%
Vulnerability Summary
CVE-2018-14057: Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
Impacted Vendors
Reference Links
http://packetstormsecurity.com/files/148954/Pimcore-5.2.3-CSRF-Cross-Site-Scripting-SQL-Injection.html
http://seclists.org/fulldisclosure/2018/Aug/13
https://www.exploit-db.com/exploits/45208/
https://www.sec-consult.com/en/blog/advisories/sql-injection-xss-csrf-vulnerabilities-in-pimcore-software/
http://packetstormsecurity.com/files/148954/Pimcore-5.2.3-CSRF-Cross-Site-Scripting-SQL-Injection.html
http://seclists.org/fulldisclosure/2018/Aug/13
https://www.exploit-db.com/exploits/45208/
https://www.sec-consult.com/en/blog/advisories/sql-injection-xss-csrf-vulnerabilities-in-pimcore-software/
CVSS v3.0
Source Entity
[email protected]
Severity
HIGH
8.8
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
REQUIRED
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2.0
Source Entity
[email protected]
Severity
MEDIUM
6.8
Access Vector
N/A
Authentication
N/A
RAW VECTOR
AV:N/AC:M/Au:N/C:P/I:P/A:P
Associated Attack Patterns (CAPEC)
Total: PatternsNo specific attack patterns mapped.
Likelihood
Severity
Page /
CVE-2018-14057 Exploits & PoCs (Proof Of Concept)
Exploit-DB
https://www.exploit-db.com/exploits/45208
MODIFIED
Vulnerability data or affected products updated.
PUBLISHED
Vulnerability first announced in NVD.
Attack Vector Matrix
Access Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
REQUIRED
CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Stack
No specific products linked.